> ## Documentation Index
> Fetch the complete documentation index at: https://docs.enterprise.emailmeter.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Restrict access in Microsoft 365

> Restrict Email Meter access to specific mailboxes only

<img style={{ borderRadius: '0.5rem' }} src="https://storage.googleapis.com/em-docs/enterprise-documentation/images/restrict-microsoft.webp" />

## Create a mail-enabled security group

Log into your Microsoft 365 admin portal and click on Groups > Active.

<img style={{ borderRadius: '0.5rem' }} src="https://storage.googleapis.com/em-docs/enterprise-documentation/images/restrictmicrosoft--001.webp" />

Choose Mail-enabled security on the secondary navigation menu.

<img style={{ borderRadius: '0.5rem' }} src="https://storage.googleapis.com/em-docs/enterprise-documentation/images/restrictmicrosoft--002.webp" />

Click on Add a group to create a new group.

<img style={{ borderRadius: '0.5rem' }} src="https://storage.googleapis.com/em-docs/enterprise-documentation/images/restrictmicrosoft--003.webp" />

On the following screen, select Mail-enabled security group. Then, select the name, owners and members that you desire.

<img style={{ borderRadius: '0.5rem' }} src="https://storage.googleapis.com/em-docs/enterprise-documentation/images/restrictmicrosoft--004.webp" />

Once created, you can click into the just created Mail-enabled security group and click on “Members” to choose the members that you want to add to the security group. Those will be the only mailboxes that Email Meter will be able to get data from.

<img style={{ borderRadius: '0.5rem' }} src="https://storage.googleapis.com/em-docs/enterprise-documentation/images/restrictmicrosoft--005.webp" />

## Create an ApplicationAccessPolicy

Now you’ll need to create an ApplicationAccessPolicy to limit Email Meter's access to the specific mailboxes you’ve added to the Mail-enabled security group.

<Info>For detailed instructions on connecting to Exchange Online PowerShell, please read Microsoft's documentation [here](https://learn.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps\&preserve-view=true)</Info>

In PowerShell, run the following command, replacing the arguments for PolicyScopeGroupId, and Description.

```powershell theme={null}
New-ApplicationAccessPolicy -AppId ded01d8e-6870-47b2-8d53-0278cf850df1 -PolicyScopeGroupId securitygroup@yourcompany.com -AccessRight RestrictAccess -Description "Restrict this app to members of the Mail-enabled security group."
```

## Test the restriction

Once this is done, you’ll be able to easily test that the policy is restricting access to the members in the Security Group by running a PowerShell command.

Just replace the argument for Identity, and run the following command:

```powershell theme={null}
Test-ApplicationAccessPolicy -Identity exampleuser@yourcompany.com -AppId ded01d8e-6870-47b2-8d53-0278cf850df1
```

<Warning>Changes to application access policies can take longer than 1 hour to take effect in Microsoft Graph REST API calls, even when Test-ApplicationAccessPolicy shows positive results.</Warning>

## Frequently asked questions

<AccordionGroup>
  <Accordion title="Do I need to grant access to everyone using Email Meter?">
    No, it's not necessary to grant access to all users who access Email Meter. Email Meter requires access only to the mailboxes that are being tracked: this means that only the accounts for which you want to generate email statistics need to be granted access.
  </Accordion>
</AccordionGroup>