Version: 2.1.1-preview

MT.1058 - Ensure Microsoft 365 Group (and Team) expiration is configured to auto-expire groups.

Overview

Application access policies in Exchange Online help you control which applications can access which mailboxes.

Without these policies, applications with Exchange permissions can access all mailboxes in your organization.

Microsoft Exchange related permissions that should be secured by application access policies include:

Mail.Read
Mail.ReadBasic
Mail.ReadBasic.All
Mail.ReadWrite
Mail.Send
MailboxSettings.Read
MailboxSettings.ReadWrite
Calendars.Read
Calendars.ReadWrite
Contacts.Read
Contacts.ReadWrite

Exchange application access policies should be configured for all applications with Exchange permissions.

Remediation action

Follow the steps below to create an application access policy in Exchange Online that restricts the application's access to mailboxes in a specific distribution group.

Connect to Exchange Online

Connect-ExchangeOnline

Define variables for your application

# Get these values from your Application Registration
$AppID = "<your-app-id>"  # e.g. "0a3ad682-b031-416d-86c2-bf263f8b46a3"
$GroupName = "AAP_$AppID"  # example naming convention for clarity
$Description = "Restrict this app to members of distribution group"

Create a mail-enabled security group for policy scope

# Create group and hide from address list
$DGroup = New-DistributionGroup -Name $GroupName -Type Security
Start-Sleep -Seconds 5  # Wait for group creation to propagate
Set-DistributionGroup -Identity $DGroup.WindowsEmailAddress -HiddenFromAddressListsEnabled $true

Create the application access policy

New-ApplicationAccessPolicy -AppId $AppID `
                          -PolicyScopeGroupId $DGroup.WindowsEmailAddress `
                          -AccessRight RestrictAccess `
                          -Description $Description

Add members to the security group

Add-DistributionGroupMember -Identity $GroupName -Member user@contoso.com

Verify the policy

# List all policies
Get-ApplicationAccessPolicy

# Test for specific user
Test-ApplicationAccessPolicy -Identity user@contoso.com -AppId $AppID

Test Metadata

Field	Value
Test ID	MT.1058
Severity	Medium
Suite	Maester
Category	App
PowerShell test	Test-MtSpExchangeAppAccessPolicy
Tags	App, Entra, Graph, LongRunning, Maester, MT.1058

Source

Pester test: tests/Maester/Entra/Test-AppRegistrations.Tests.ps1
PowerShell source: powershell/public/maester/entra/Test-MtSpExchangeAppAccessPolicy.ps1

Overview​

Remediation action​

Connect to Exchange Online​

Define variables for your application​

Create a mail-enabled security group for policy scope​

Create the application access policy​

Add members to the security group​

Verify the policy​

Test Metadata​

Source​