Restricting Hyperfox's Mailbox Access (Microsoft 365)
Hyperfox reads incoming orders from one or more shared mailboxes — usually a
single [email protected], though Hyperfox can read from several mailboxes
if your setup needs it. To do this, the Hyperfox application requests
application-level Microsoft Graph permissions. By default, application
permissions in Microsoft 365 apply to every mailbox in your tenant, even
though Hyperfox only needs the order mailbox(es).
This guide shows your Microsoft 365 administrator how to lock the Hyperfox application down to only the mailboxes you allow, verify the restriction, and audit what the application accesses. You remain in full control: Hyperfox cannot read any mailbox you have not explicitly scoped it to.
Note: These steps are performed entirely in your own Microsoft 365 tenant. Hyperfox has no ability to grant itself access — only your administrator can decide which mailboxes the application may reach.
Table of Contents
- What permissions Hyperfox requests
- How the restriction works
- Prerequisites
- Step 1: Create a mail-enabled security group
- Step 2: Restrict the application to that group
- Step 3: Verify the restriction
- Auditing and monitoring access
- Removing access entirely
What permissions Hyperfox requests
When you grant admin consent to Hyperfox, the following Microsoft Graph permissions are requested:
| Permission | Type | What it grants | Scopable by this guide? |
|---|---|---|---|
Mail.ReadWrite | Application | Read and write mail in mailboxes | ✅ Yes |
MailboxSettings.ReadWrite | Application | Read and write mailbox settings | ✅ Yes |
Organization.Read.All | Application | Read organization information | ❌ Directory data, not mailbox content |
User.ReadBasic.All | Application | Read all users' basic profiles | ❌ Directory data, not mailbox content |
User.Read | Delegated | Sign in and read the signed-in user's profile | Not applicable (delegated) |
The two mailbox permissions — Mail.ReadWrite and
MailboxSettings.ReadWrite — are the sensitive ones: without a restriction they
reach every mailbox in your tenant. The method below scopes exactly these two
down to only the mailbox(es) you allow.
Note:
Organization.Read.AllandUser.ReadBasic.Allexpose organization metadata and basic user profiles (name, email, job title) from your directory — not the contents of any mailbox. They are not controlled by mailbox access policies. If you wish to review or limit these, see Removing access entirely.
How the restriction works
Exchange Online supports an Application Access Policy: a rule that ties an application to a mail-enabled security group and tells Exchange the application may access only the mailboxes that are members of that group.
You will:
- Create a mail-enabled security group whose members are the order mailbox(es) you want Hyperfox to read — one mailbox, or several.
- Create an Application Access Policy with
RestrictAccess, pointing the Hyperfox application at that group. - Test that an allowed mailbox is Granted and any other mailbox is Denied.
After this, even though Hyperfox holds tenant-wide Mail.ReadWrite, Exchange
will reject any attempt by the application to read a mailbox outside the group.
Prerequisites
Before you begin, make sure you have:
-
The Exchange Administrator or Global Administrator role in your tenant.
-
The Exchange Online PowerShell module installed:
Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -
Hyperfox's Application (client) ID:
2e613e2d-39ea-40e0-9036-1f79b039aa1eThis is the same ID shown on the consent screen and under Enterprise applications in your tenant. It is used in the commands below.
Step 1: Create a mail-enabled security group
Connect to Exchange Online, then create a mail-enabled security group containing
only the mailbox(es) Hyperfox should read. Pass one address, or several
comma-separated, to -Members.
Connect-ExchangeOnline -UserPrincipalName [email protected]
# Single mailbox
New-DistributionGroup `
-Name "Hyperfox Scoped Mailboxes" `
-Alias hyperfox-scoped `
-Type Security `
-Members [email protected]
# ...or several mailboxes
New-DistributionGroup `
-Name "Hyperfox Scoped Mailboxes" `
-Alias hyperfox-scoped `
-Type Security `
-Members [email protected], [email protected], [email protected]
To add or remove a mailbox later, update the group's membership rather than the policy:
Add-DistributionGroupMember -Identity [email protected] -Member [email protected]
Remove-DistributionGroupMember -Identity [email protected] -Member [email protected]
Tip: Keep this group dedicated to Hyperfox. Every mailbox in it becomes reachable by the application, so only add a mailbox here if you intend Hyperfox to read it.
Step 2: Restrict the application to that group
Create the Application Access Policy. RestrictAccess means the application may
access only members of the group; every other mailbox is blocked.
New-ApplicationAccessPolicy `
-AppId 2e613e2d-39ea-40e0-9036-1f79b039aa1e `
-PolicyScopeGroupId [email protected] `
-AccessRight RestrictAccess `
-Description "Restrict Hyperfox to the scoped order mailboxes only"
Important: The policy can take up to 30 minutes (occasionally longer) to take effect across Exchange Online. Wait before testing if you see unexpected results.
For reference, the two access rights are:
RestrictAccess— the application can access only the group's members (recommended; use this).DenyAccess— the application is blocked from the group's members but can still reach everyone else (the opposite of what you want here).
Step 3: Verify the restriction
Confirm the lock works in both directions. Each allowed mailbox should be Granted; any other mailbox (for example, an executive's) should be Denied. Test every mailbox you added to the group.
# Allowed mailbox — should return AccessCheckResult: Granted
Test-ApplicationAccessPolicy `
-AppId 2e613e2d-39ea-40e0-9036-1f79b039aa1e `
-Identity [email protected]
# Any non-allowed mailbox — should return AccessCheckResult: Denied
Test-ApplicationAccessPolicy `
-AppId 2e613e2d-39ea-40e0-9036-1f79b039aa1e `
-Identity [email protected]
If an allowed mailbox returns anything other than Granted, confirm it is a
member of the hyperfox-scoped group. If a non-allowed mailbox returns
Granted, wait for propagation (up to 30 minutes) and test again.
You can review the policy at any time:
Get-ApplicationAccessPolicy
Auditing and monitoring access
Your administrator can review and monitor exactly what the Hyperfox application does in your tenant.
-
Review the application and its granted permissions — In the Microsoft Entra admin center, go to Identity → Applications → Enterprise applications, find the Hyperfox application (search by the App ID above), and open the Permissions tab.
-
See which mailbox items were accessed — In the Microsoft Purview portal, open Audit and search the
MailItemsAccessedactivity. These records include the application (AppId) that accessed mailbox items, so you can confirm access is limited to the mailboxes you allowed. -
See API calls and token issuance — In the Entra admin center, use Microsoft Graph activity logs and Sign-in logs → Service principal sign-ins, filtered to the Hyperfox application, to see when it requested tokens and which resources it called.
Tip: Mailbox auditing must be enabled to capture
MailItemsAccessedevents. It is on by default for most Microsoft 365 organizations; confirm withGet-OrganizationConfig | Format-List AuditDisabled.
Removing access entirely
If you want to revoke Hyperfox's access completely — for example, when offboarding — you have two options in the Entra admin center under Enterprise applications → Hyperfox:
- Revoke admin consent — open the Permissions tab and remove the granted permissions. This stops the application from obtaining new access tokens for your tenant.
- Delete the application — open Properties and delete the enterprise application from your tenant.
To prevent applications from being consented in the first place, you can also tighten user consent settings and require an admin consent workflow under Enterprise applications → Consent and permissions.
This guide was last updated in June 2026. For questions, contact your Hyperfox administrator or [email protected].