If you use the certificate-based authentication to Office 365, the full_access_as_app authorization grants by default the Promodag Reports application published in Microsoft Intra ID access to all mailboxes in the Office 365 tenant. You can restrict the scope to a group of mailboxes by following this procedure.
The first step is to create a mail-enabled security group in the Microsoft 365 administration center.
All mailboxes to be analyzed by content reports in Promodag Reports will be added as members.
Next, create an access policy for the Promodag Reports application using this command, which uses the application ID and the group’s email address:
New-ApplicationAccessPolicy -AppId <application ID> -PolicyScopeGroupId <email address of the group> -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group xxx."
The application ID can be found in Promodag Reports in the Office 365 configuration tab of Tools > Options.
Finally, we will test that the policy has been correctly applied with this command, which will be applied to a mailbox that is not a member of the security group:
Test-ApplicationAccessPolicy -Identity <mailbox email address> -AppId <application ID>
Note: Changes to application access policies may take more than an hour to take effect, even if the test results are positive.
See also: Certificate-based authentication to Office 365 and Office 365 permissions.