Restrict Application Access

Use Case: IfAn anapplication ~~email~~uses ~~was~~OAuth ~~sent~~2.0 into ~~error~~connect orand send mail as a ~~malicious~~user. ~~email~~This ~~has~~requires ~~been~~that ~~sent~~you Grant Admin Consent, but that allows the application to asend ~~large~~as ~~number~~any ofuser. ~~recipients,~~To ~~one~~prevent abuse, you want to restrict which users the app can ~~find and remove that data using Microsoft 365 Security and Compliance Powershell.~~
send-as.

First, Connect to Microsoft 365 Exchange Online

~~Create~~Restrict ~~the~~Application ~~search~~Access

New-ComplianceSearchApplicationAccessPolicy -NameAccessRight RestrictAccess -AppId "An Email Search"e7e4dbfc-046f-4074-9b3b-2ae8f144f59b" -ExchangeLocationPolicyScopeGroupId AllEvenUsers@AppPolicyTest2.com -ContentMatchQuery 'From:externalsender@example.com'

~~Refine the search~~

~~This example has a date range and subject specified in the query.~~

New-ComplianceSearch -NameDescription "AnRestrict Emailthis Search"app's -ExchangeLocation All -ContentMatchQuery '(Received:M/DD/YYYY..M/DD/YYYY) AND (Subject:"An email notaccess to bemembers seen")'

security

~~This~~group ~~example searches~~ ~~specific folders~~ ~~in a specific mailbox.~~

New-ComplianceSearch -Name "An Email Search" -ExchangeLocation recipient@example.com -ContentMatchQuery "((folderid:YFDRIJRBV4ZOBAULB0F9E170RM3MQGBLYD8KY7YZZTJFCO14I) and (folderid:NC5MOAYATELI8Y477ALCKE9E5L08Z4OJLD4Z1I71YD836M33P) and (folderid:N34157DZ541GZQXLG0EKP5F8E9AC91558845M1GYJLBV7AOVS))EvenUsers."

~~Start the search~~~~; after you create the search, you will have to start it.~~

Start-ComplianceSearch -Identity "An Email Search"

~~Perform an action on the results~~~~; once you have the results, do something with it.~~

New-ComplianceSearchAction -SearchName "An Email Search" -Purge -PurgeType SoftDelete

~~Running the command in variables enables you to create the search and then start it with one stroke of the return key.~~

$Search=New-ComplianceSearch -Name "Remove an email" -ExchangeLocation All -ContentMatchQuery ‘(From:sender@example.com) AND (Subject:"An email subject") AND (Received:M/DD/YYYY..M/DD/YYYY)’
Start-ComplianceSearch -Identity $Search.Identity

~~To check the status of a running search, run the command below. Pipe it to~~ fl ~~(Format-List) to see details.~~

Get-ComplianceSearch -Identity "An Email Search"

SoftDelete ~~removes the email, but it is still recoverable.~~ HardDelete ~~removes the email and it is not recoverable. It does not move it to the recipient's~~ ~~Deleted Items~~ ~~folder.~~

Microsoft Learn: New-~~ComplianceSearch~~ApplicationAccessPolicy

~~Microsoft Learn: Search Conditions~~