Overview
This guide explains how to scope the Grip Security application/integration for a specific security group.
This guide describes how to enforce the scope on your O365 end instead of having Grip enforce it. If your Grip tenant tries to pull data on users outside the security group, it will fail.
Prerequisites
A user with admin privileges to your O365 tenant.
A working PowerShell terminal.
The Application client ID of the Grip application you created.
Creating the policy
If you already have a Mail-enabled Security Group you’d like to use for the scope, you can skip to Step 2.
Step 1 – Create the group
Go to your Exchange admin center.
On the left sidebar, under Recipients click Groups.
Go to the Mail-enabled security tab.
Click Add a group.
.png?sv=2022-11-02&spr=https&st=2025-04-25T14%3A13%3A59Z&se=2025-04-25T14%3A24%3A59Z&sr=c&sp=r&sig=kp0GCD1Gjq7Z3nd5H5lBLW1dWKjPjRvQgZG71v%2BuyXc%3D)
Select Mail-enabled Security, and then click Next.
.png?sv=2022-11-02&spr=https&st=2025-04-25T14%3A13%3A59Z&se=2025-04-25T14%3A24%3A59Z&sr=c&sp=r&sig=kp0GCD1Gjq7Z3nd5H5lBLW1dWKjPjRvQgZG71v%2BuyXc%3D)
Enter a name for the group under Name and add a description (optional).
Click Next.
Note.
After entering the name, you need to click elsewhere on the page for the Next button to become clickable.
Click on Assign owners.
Select a user to be an owner (it can be yourself) and click Add.
Click Next.
Click Add members.
Do not add members here, because there is a limit of 20 users. We’ll add all the users later.
Click Next.
Assign an email address to the group by entering the name under Group email address.
Tip.
💡 Ensure the domain selected is the one you want.
You are not required to check the other boxes.
Write down the address of the group for future steps.
Click Next.
.png?sv=2022-11-02&spr=https&st=2025-04-25T14%3A13%3A59Z&se=2025-04-25T14%3A24%3A59Z&sr=c&sp=r&sig=kp0GCD1Gjq7Z3nd5H5lBLW1dWKjPjRvQgZG71v%2BuyXc%3D)
Click Create group.
Click Edit group settings.
On the right sidebar, go to the Members tab and click View and manage members.
.png?sv=2022-11-02&spr=https&st=2025-04-25T14%3A13%3A59Z&se=2025-04-25T14%3A24%3A59Z&sr=c&sp=r&sig=kp0GCD1Gjq7Z3nd5H5lBLW1dWKjPjRvQgZG71v%2BuyXc%3D)
Click Add members, select all identities to be included in the scope, and click Add.
Tip
💡 The identities included in the scope can always be changed later.
Step 2 – Assign the policy
Open a PowerShell terminal as Administrator and run the following script:
$AppClientId = <grip-registered-app-client-id>
$SecurityGroupMail= <security-group-mail>
$O365OrganizationAdminMail= <o365-admin-mail>
Install-Module -Name ExchangeOnlineManagement
Set-ExecutionPolicy Unrestricted
$UserCredential = Get-Credential
Connect-ExchangeOnline -UserPrincipalName $O365OrganizationAdminMail
New-ApplicationAccessPolicy -AppId $AppClientId -PolicyScopeGroupId
$SecurityGroupMail -AccessRight RestrictAccess -Description "Grip Access
policy"Note
Values marked with <> need to be filled-in with your specific values.
Summary
You have now created a scope for your Grip integration with a mail enabled security group. You can contact your Grip representative to inform them that the flow is complete.