Introduction
Evoko Naso has always used Azure Enterprise Applications to connect to Microsoft 365 Cloud Services. While this is the Microsoft recommended mechanism it has lacked the granular permissions that were possible with on-prem accounts.
In February 2022, Microsoft announced the introduction of Application Access Policies for Enterprise Applications, bringing more granular control of mailboxes and resources to Microsoft 365.
If you are looking to limit the scope of the Naso permissions for increased security or policy compliance, you can create an application access policy for the Evoko Naso system. See the guide below and let us know if you have any questions.
Note: This is an optional setup. The Evoko Naso system will continue to work as expected with just the instructions in the Getting Started section.
Full details of Application Access Policies can be found here.
Instructions
Step 1: Create a security group to limit resources and mailboxes that Evoko Naso can access
Login to the Microsoft 365 admin portal, go to Exchange admin -> Groups and click "Add a group". Select Mail Enabled Security group, then click next and enter a name. Go to the next step and enter an email address. Click next, then Create group. Make a note of the email address assigned to the group as you will need it later.
Step 2: Add resources and users to the security group
After creating the group, open the group settings and click Members, then add all rooms and users that you want Evoko Naso to be able to access.
Important: ALL mailboxes that you want to be able to use with Evoko Naso need to be included in the security group. This includes users, including the evoko.naso@domain.com user.
Step 3: Connect to Microsoft 365 using PowerShell
Launch PowerShell and connect using modern authentication:
Connect-ExchangeOnline -UserPrincipalName {Microsoft 365 admin email address}
If this step does not work, please read this guide that configures your PowerShell environment for modern authentication. If none of the commands in the above article work, you probably need to install the module first. Please see this guide for instructions.
Step 4: Apply the Application Access Policy
Apply the Application Access Policy to the Evoko Naso EvokoOnline Application using the below script.
New-ApplicationAccessPolicy -AppId 4f5a65ed-3663-4b58-a129-6a34356ce99a -PolicyScopeGroupId {mailenabledsecurityemail} -AccessRight RestrictAccess -Description "Restrict Evoko Naso to members of distribution group {mailenabledsecurityemail}."
- Replace {mailenabledsecurityemail} with the email address from Step 1
- Description = A description of the policy.
Step 5: Test the policy
Test the newly created Application Access Policy:
Test-ApplicationAccessPolicy -Identity {EmailAddressInGroup} -AppId 4f5a65ed-3663-4b58-a129-6a34356ce99a
Replace {EmailAddressInGroup} with an email address that was included in the security group. An AccessCheckResult of Granted will be displayed:
Test-ApplicationAccessPolicy -Identity {EmailAddressNotInGroup} -AppId 4f5a65ed-3663-4b58-a129-6a34356ce99a
Replace {EmailAddressNotInGroup} with an email address that was excluded from the security group. An AccessCheckResult of Denied will be displayed:
Step 6: Finished!
Success! That's it!
The Evoko Naso EvokoOnline Application will now only be able to access the resources/mailboxes that are specified in the Mail Enabled Security group.
Note: Changes to application access policies may take more than 1 hour to take effect in Microsoft Graph REST API calls, even when Test-ApplicationAccessPolicy shows positive results