Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, September 20, 2019 2:38 PM
I tryed powershell cmdlet New-ApplicationAccessPolicy, but i can't figure out what is PolicyScopeGroupId:
Cannot process argument transformation on parameter 'PolicyScopeGroupId'.
All replies (6)
Friday, September 20, 2019 5:39 PM ✅Answered | 2 votes
It's the Group upon which the policy will act upon. Depending on the policy action (AccessRIght), you will either restrict the app to only run against objects that are member of the Group (RestrictAccess), or restrict the app from running against members of said group (DenyAcces). Read here for more details an examples: https://practical365.com/exchange-online/application-access-policies-in-exchange-online/
Friday, September 20, 2019 8:21 PM ✅Answered | 1 vote
And to add on: Make sure its a mail-enabled security group you are scoping it to.
Monday, September 23, 2019 2:28 AM
Hi,
The PolicyScopeGroupID parameter specifies the recipient to define in the policy. You can use any value that uniquely identifies the recipient. It can also specify a mail enabled security group to restrict/deny access to a large number of user mailboxes. For more info about the parameter, please see the link: New-ApplicationAccessPolicy
Regards,
Kelvin Deng
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, September 23, 2019 12:31 PM
I'm trying to limit access to resource [email protected] which has Azure AD objectId =ecafe471-e4ae-4850-ba03-29f18b4a383b. I also tried to use just e-mail address, with the same result.
New-ApplicationAccessPolicy -AccessRight DenyAccess -AppId xxx -PolicyScopeGroupId ecafe471-e4ae-4850-ba03-29f18b4a383b
The identity of the policy scope is not a security principal.
+ CategoryInfo : NotSpecified: (:) [New-ApplicationAccessPolicy], InvalidApplicationAccessPolicyException
Can you please advice me what i am doing wrong?
Monday, September 23, 2019 12:41 PM | 1 vote
Use a mail-enabled security-group as Andy mentioned above.
Monday, September 23, 2019 2:08 PM
Thank you. I finally managed to create New-ApplicationAccessPolicy and the needed access is now denied