# Limit Cronofy's access Cronofy's access can be limited to only specific users' calendars by configuring an *ApplicationAccessPolicy* within your Office 365 Exchange tenant. ### Configuring an ApplicationAccessPolicy To configure an application access policy and limit the scope of Cronofy's application permissions: - Connect to Exchange Online PowerShell. For details, see [Connect to Exchange Online PowerShell](https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps&preserve-view=true) - Cronofy application's ID for Microsoft 365 Enterprise Connect via Graph is: `10bb7e5b-b80b-4e6e-a209-f78581dbc79e`. If you wish to verify this, you may do so as follows:

- If you have already authorized your connection, you may confirm this by visiting the [Azure Active Directory Enterprise application portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/) as seen below. ![](/calendar-admins/enterprise-connect-office365-graph/restrict-data-access/enterprise-application-portal.4dbad3eb7481777efca98d808dbf9d392b524adeac42ccc3ca1e343198bb70ce.png) - If you have not yet authorized the connection, you can see the application ID visible in the address bar when initiating (but without completing) the connection: ![](/calendar-admins/enterprise-connect-office365-graph/restrict-data-access/auth-flow-client-id.2667acdb1fe0f748e06f71ab524fa79847530483b3fb9ce47f0eeac1482fcc19.png) - Create a new mail-enabled security group or use an existing one and identify the email address for the group. Note: Currently, mail-enabled security groups must be created from [Exchange Admin center](https://admin.exchange.microsoft.com/) or [Classic Exchange Admin Center](https://outlook.office365.com/ecp) to take action. Security groups created from Azure itself won't get reflected on Exchange Online and therefore, you wouldn't be able to use those groups as part of the ApplicationAccessPolicy.

  • Create an application access policy. Run any of the following commands, replacing the arguments for PolicyScopeGroupId, and Description. 4.1. RestrictAccess, means that only members of the [support@contoso.com](mailto:support@contoso.com) mail-enabled security group will have access to the AppId ``` New-ApplicationAccessPolicy -AppId 10bb7e5b-b80b-4e6e-a209-f78581dbc79e -PolicyScopeGroupId support@contoso.com -AccessRight RestrictAccess -Description "Restrict this app to members of the Support group." ``` 4.2. DenyAccess, means that members of the [support@contoso.com](mailto:support@contoso.com) mail-enabled security group will NOT have access to the AppId ``` New-ApplicationAccessPolicy -AppId 10bb7e5b-b80b-4e6e-a209-f78581dbc79e -PolicyScopeGroupId support@contoso.com -AccessRight DenyAccess -Description "Deny this app to members of the Support group." ``` - Test the newly created application access policy. In this example we used a member of our support team. Depending on whether you set a Restrict or Deny Access Policy, the Grants result may vary. ``` Test-ApplicationAccessPolicy -Identity support_user1@contoso.com -AppId 10bb7e5b-b80b-4e6e-a209-f78581dbc79e ``` Note: Changes to application access policies can take up to 30 minutes to take effect, based on Microsoft's documentation. #### Additional reading For further reading on the mechanism mentioned in this article, please see [this documentation from Microsoft](https://learn.microsoft.com/en-us/exchange/permissions-exo/application-access-policies). If you require any further assistance, please contact us at [support@cronofy.com](mailto:support@cronofy.com). --- [Read in HTML](/calendar-admins/enterprise-connect-office365-graph/restrict-data-access/)