Share via

Management Scope

Rising Flight 6,456 Reputation points
2025-11-28T06:15:37.4633333+00:00

Hi all,

I have the below client ID with the Mail.Send application permission, and using it I’m able to send email to any distribution list, regular mailbox, or shared mailbox.

I want to restrict this client ID so that it can send mail only to a specific distribution list / mail-enabled security group / mailbox / shared mailbox. How can I achieve this?

I came across the following article, but I’m not sure how to apply it in my case: https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac

For example, my client ID should be able to send email only to the recipients below:

DL1 – Distribution List

mesg1 – Mail-enabled security group

mbx1 – Regular mailbox

sharedmbx1 – Shared mailbox

If an email is sent to any other recipient, it should fail or return an error.



# App-only Graph auth (certificate)
$ClientId   = "11111111-2222-3333-4444-555555555555"
$TenantId   = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
$Thumbprint = "ABCDEF1234567890ABCDEF1234567890ABCDEF12"
# From / To
$FromUserUPN = "alerts(at)contoso.com"
$EmailRecipients = @(
    "DL1(at)contoso.com",
    "mesg1(at)contoso.com",
    "mbx1(at)contoso.com",
    "sharedmbx1(at)contoso.com"
)
Exchange Online
Exchange Online

A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.

0 comments

Answer accepted by question author

Anonymous
2025-11-28T07:34:00.92+00:00

Hi @Rising Flight

Thank you for sharing your question in the Q&A Forum, providing details about your application's Mail.Send permission as well as the recipients you wish to restrict. 

In Exchange Online, Application Access Policies or RBAC for applications are primarily designed to control which mailboxes an app can access, rather than which recipients it can send to. This means that even if the app is scoped to a single mailbox, it could still send messages to other recipients unless an additional layer of enforcement is applied. 

To achieve a practical recipient restriction, a combined approach can be considered: 

Restrict the Sender Mailbox (Sender Restriction) 

  • Use Application Access Policy or RBAC for Applications to associate the app’s Client ID only with a controlled mailbox (e.g., ******@contoso.com). 
  • Create a management scope for the mailbox and assign only the necessary roles (e.g., SendAs). 

Reference: Role Based Access Control for Applications in Exchange Online | Microsoft Learn 
Enforce recipient restrictions using an Exchange Online mail flow rule 

  • Configure a mail flow (transport) rule to allow sending only to specific recipients. 
  • Any message sent from the dedicated mailbox to recipients outside the approved list (******@contoso.com, ******@contoso.com, ******@contoso.com, shared******@contoso.com) will be blocked. 
  • This applies to To, Cc, and Bcc, generating a Non-Delivery Report (NDR) for unauthorized recipients. 

PowerShell example: 

New-TransportRule -Name "Alerts Sender Recipient Allow-List" ` 
  -From "******@contoso.com" ` 
  -ExceptIfRecipientAddressMatchesPatterns "******@contoso.com","******@contoso.com","******@contoso.com","shared******@contoso.com" ` 
  -RejectMessageEnhancedStatusCode 5.7.1 ` 
  -RejectMessageReasonText "Recipient not allowed per application policy (Error Code 5.7.1)." ` 
  -StopRuleProcessing $true 

Reference: Mail flow rules (transport rules) in Exchange Online | Microsoft Learn 
I hope this guidance provides some clarity on the approach. If you proceed with the implementation and have any questions, feel free to share, and we would be happy to look at the details together. 

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".  

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

Was this answer helpful?

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2025-11-28T06:15:49.25+00:00

    To restrict the application with the specified client ID so that it can only send emails to a specific distribution list, mail-enabled security group, or mailbox, you can use Application Access Policies in Exchange Online. Here’s how you can achieve this:

    1. Connect to Exchange Online PowerShell: Use the appropriate command to connect to your Exchange Online environment.
    2. Create a Mail-Enabled Security Group: If you haven't already, create a mail-enabled security group that includes the recipients you want to allow.
    3. Create an Application Access Policy: You will need to create an application access policy that restricts the app's access to the specific mail-enabled security group. You can do this by running the following PowerShell command: 
         New-ApplicationAccessPolicy -AppId "11111111-2222-3333-4444-555555555555" -PolicyScopeGroupId "******@contoso.com" -AccessRight RestrictAccess -Description "Restrict this app to specific recipients."
      Replace ******@contoso.com with the actual email address of your mail-enabled security group.
    4. Test the Policy: After creating the policy, you can test it using the Test-ApplicationAccessPolicy command to ensure that the application can only send emails to the specified recipients.

    By following these steps, you can effectively limit the sending capabilities of your application to only the designated recipients you have specified.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.