(Optional) Application Access Policies
Create a security group to limit resources and mailboxes that Planner/Meetings can access.
Planner/Meetings uses Enterprise Applications to connect to Microsoft 365 Cloud Services. Whilst this is the Microsoft recommended mechanism it has lacked the granular permissions that were possible with on-prem impersonated accounts.
In February 2022, Microsoft announced the introduction of Application Access Policies for Enterprise Applications, bringing more granular control of mailboxes and resources.
This is an optional setup and the software will continue to work as expected if no change is made. We only ever access data that is configured by you. This includes, but is not limited to, users, room calendars, and security groups.
Step 1
Login to Microsoft 365 Admin and create a Mail Enabled Security group in Microsoft 365 admin and make a note of the email address assigned to the group, you will need it later. [MailEnabledSecurityEmail]
Step 2
You will need to add all the resources that you intend to be used in Planner/Meetings (Rooms), and the mailboxes that you want to have access to Planner/Meetings.
Step 3
Launch PowerShell and connect using modern authentication.
Connect-ExchangeOnline -UserPrincipalName {Microsoft 365 admin email address}
If this step does not work, then read the following guide that configures your PowerShell environment for modern authentication.
Step 4
Apply the Application Access Policy to Planner - Office 365 Add-In using the below script.
New-ApplicationAccessPolicy -AppId 2977f32f-6805-42df-9ced-7a30137b23eb -PolicyScopeGroupId "[MailEnabledSecurityEmail]" -AccessRight RestrictAccess -Description "Restrict Planner O365 Addin to members of Mail Enabled Security Group ([MailEnabledSecurityEmail])"
Apply the Application Access Policy to Planner - Calendar Service using the below script.
New-ApplicationAccessPolicy -AppId 351d434c-2e44-41d7-ba28-268ecd8f56c2 -PolicyScopeGroupId "[MailEnabledSecurityEmail]" -AccessRight RestrictAccess -Description "Restrict Planner Calendar Service to members of Mail Enabled Security Group ([MailEnabledSecurityEmail])"
Note - The above scripts grant the Enterprise Applications access to the users and resources within the mail enabled security group (Whitelist). If you prefer to deny access to the the users and resources within the mail enabled security group (Blacklist) then modify the scripts as follows:
New-ApplicationAccessPolicy -AppId 2977f32f-6805-42df-9ced-7a30137b23eb -PolicyScopeGroupId "[MailEnabledSecurityEmail]" -AccessRight DenyAccess -Description "Deny Planner O365 Addin to members of Mail Enabled Security Group ([MailEnabledSecurityEmail])"
New-ApplicationAccessPolicy -AppId 351d434c-2e44-41d7-ba28-268ecd8f56c2 -PolicyScopeGroupId "[MailEnabledSecurityEmail]" -AccessRight DenyAccess -Description "Deny Planner Calendar Service to members of Mail Enabled Security Group ([MailEnabledSecurityEmail])"
Step 5
Changes to application access policies can take longer than 1 hour to take effect in Microsoft Graph REST API calls, even when Test-ApplicationAccessPolicy shows positive results.