When you connect Paperbox to Microsoft 365 (Exchange Online) using an app/service account, that app can potentially access many (or all) mailboxes in the tenant by default. If you want tighter control, you can restrict Paperbox so it can access only the mailboxes you explicitly allow.
In this tutorial we’ll use a fictional insurer tenant as an example:
Insurer (customer) domain:
johns-insurance.comExample scope group:
[email protected]Example mailbox:
[email protected]
Important: in your real setup, every email/domain shown here must be replaced with values from your customer’s Microsoft 365 tenant.
What you’ll set up
A mail-enabled security group that represents the Paperbox mailbox scope
Group membership = mailboxes Paperbox may access
An Application Access Policy that enforces that scope
Test commands to confirm access is allowed/blocked
Before you start
You need
Microsoft 365 tenant admin rights (or Exchange admin rights) in the customer tenant
Exchange Online PowerShell access
Values you must fill in
Customer domain:
<YOUR_DOMAIN>(example:johns-insurance.com)Scope group email (customer tenant):
<SCOPE_GROUP_EMAIL>(example:[email protected])Allowed test mailbox:
<ALLOWED_TEST_MAILBOX>(example:[email protected])Blocked test mailbox:
<BLOCKED_TEST_MAILBOX>(example:[email protected])
Step 1 — Connect to Exchange Online PowerShell
Open PowerShell and connect to the customer’s Exchange Online tenant:
Connect-ExchangeOnline
Make sure you sign in with an admin account for the customer tenant (e.g., johns-insurance.com).
Step 2 — Create (or pick) a mail-enabled security group
This group defines which mailboxes Paperbox is allowed to access.
Option A: Create a new group
Fill in:
<GROUP_NAME><GROUP_ALIAS>
New-DistributionGroup `
-Name "<GROUP_NAME>" `
-Alias "<GROUP_ALIAS>" `
-Type Security
Then retrieve the group’s email address (Primary SMTP) and use it as <SCOPE_GROUP_EMAIL>:
Get-DistributionGroup "<GROUP_NAME>" | Format-List PrimarySmtpAddress
Example result you might use:
Option B: Use an existing group
If the customer already has a suitable mail-enabled security group, use its email address as:
<SCOPE_GROUP_EMAIL>
Step 3 — Add allowed mailboxes to the scope group
Add every mailbox Paperbox should be able to access. Repeat per mailbox.
Fill in:
<SCOPE_GROUP_EMAIL>(the group in the customer tenant)<MAILBOX_EMAIL>(the mailbox in the customer tenant)
Add-DistributionGroupMember `
-Identity "<SCOPE_GROUP_EMAIL>" `
-Member "<MAILBOX_EMAIL>"
Example (insurer tenant):
group:
[email protected]mailbox:
[email protected]
Everything not in this group should be treated as out of scope.
Step 4 — Create the Application Access Policy
This policy restricts the Paperbox app to only the mailboxes in your scope group.
Fill in:
<SCOPE_GROUP_EMAIL><POLICY_DESCRIPTION>
New-ApplicationAccessPolicy `
-AppId "42dc8c0c-c869-4479-b884-592d310ca746" `
-PolicyScopeGroupId "<SCOPE_GROUP_EMAIL>" `
-AccessRight RestrictAccess `
-Description "<POLICY_DESCRIPTION>"
Suggested description:
Restrict Paperbox to the mailboxes in the Paperbox scope group.
Step 5 — Test the policy
Test a mailbox that should be allowed
Fill in:
<ALLOWED_TEST_MAILBOX>
Test-ApplicationAccessPolicy `
-Identity "<ALLOWED_TEST_MAILBOX>" `
-AppId "42dc8c0c-c869-4479-b884-592d310ca746"
Expected: Allowed
Test a mailbox that should be blocked
Fill in:
<BLOCKED_TEST_MAILBOX>
Test-ApplicationAccessPolicy `
-Identity "<BLOCKED_TEST_MAILBOX>" `
-AppId "42dc8c0c-c869-4479-b884-592d310ca746"
Expected: Denied
Troubleshooting
Check group membership
If results aren’t what you expect, confirm the mailbox is actually in the scope group:
Get-DistributionGroupMember "<SCOPE_GROUP_EMAIL>"
PowerShell / module issues
Check your PowerShell version:
$PSVersionTable.PSVersion
If you hit module/version errors, update PowerShell and ensure the Exchange Online PowerShell module is current.
Whenever you need help setting this up for your organization, let us know via our support channels.