How to restrict access to Microsoft Graph Api ( for several resources?. I'm using AzureAD for oauth identity RRS feed

  • Question

  • I tryed powershell cmdlet  New-ApplicationAccessPolicy,   but i can't figure out what is PolicyScopeGroupId:
    Cannot process argument transformation on parameter 'PolicyScopeGroupId'.
    Friday, September 20, 2019 2:38 PM


All replies

  • It's the Group upon which the policy will act upon. Depending on the policy action (AccessRIght), you will either restrict the app to only run against objects that are member of the Group (RestrictAccess), or restrict the app from running against members of said group (DenyAcces). Read here for more details an examples:
    • Marked as answer by Aleksei.B Monday, September 23, 2019 2:08 PM
    Friday, September 20, 2019 5:39 PM
  • And to add on: Make sure its a mail-enabled security group you are scoping it to.

    • Marked as answer by Aleksei.B Monday, September 23, 2019 2:08 PM
    Friday, September 20, 2019 8:21 PM
  • Hi,


    The PolicyScopeGroupID parameter specifies the recipient to define in the policy. You can use any value that uniquely identifies the recipient. It can also specify a mail enabled security group to restrict/deny access to a large number of user mailboxes. For more info about the parameter, please see the link: New-ApplicationAccessPolicy



    Kelvin Deng

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact

    Monday, September 23, 2019 2:28 AM
  • I'm trying to limit access to resource which has Azure AD objectId =ecafe471-e4ae-4850-ba03-29f18b4a383b.  I also tried to  use just e-mail address, with the same result.

    New-ApplicationAccessPolicy -AccessRight DenyAccess -AppId xxx -PolicyScopeGroupId ecafe471-e4ae-4850-ba03-29f18b4a383b
    The identity of the policy scope is not a security principal.
        + CategoryInfo          : NotSpecified: (:) [New-ApplicationAccessPolicy], InvalidApplicationAccessPolicyException

    Can you please advice me what i am doing wrong?

    Monday, September 23, 2019 12:31 PM
  • Use a mail-enabled security-group as Andy mentioned above.
    Monday, September 23, 2019 12:41 PM
  • Thank you. I finally managed to create New-ApplicationAccessPolicy and  the needed access is now denied

    Monday, September 23, 2019 2:08 PM