Background
Solution
The steps are taken from this link https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access.
Due to security concerns highlighted by customer, A Doc APAR to add the following steps into probe guide has been raised.
APAR number : IJ41418
Limiting probe access to specific Exchange Online mailboxes.
By default OAuth authentication enables the probe to access all mailboxes in an organization on Exchange Online. Administrators can identify the set of mailboxes to permit access by putting them in a mail-enabled security group. Administrators can then limit probe access to only that set of mailboxes by creating an application access policy for access to that group.
a. Create a new mail-enabled security group using steps in this link or use an existing one and identify the email address for the group.
b. Add the user of mailbox to be accessed by probe into the group.
c. Connect to Exchange Online PowerShell. For details, see Connect to Exchange Online PowerShell.
d. Create an access policy on the registered Azure Active Directory application.
New-ApplicationAccessPolicy -AppId <<Application/ClientID>> -PolicyScopeGroupId <<SecGroupEmail>> -AccessRight RestrictAccess -Description "IBM Netcool EWS Probe Mailbox"