> For the complete documentation index, see [llms.txt](https://docs.dropzone.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.dropzone.ai/integrations/alert/ms_alert/ms365_email_group.md).

# Microsoft Security Group

## Microsoft Mail-Enabled Security Group

The Dropzone platform can ingest email and phishing alerts from cross-organizational email accounts. If you wish to restrict the access of Dropzone's analysis, you can create a dedicated mail-enabled security group and create an Application Access Policy which restricts access to a finite and enumerated list of mailboxes

## Create a Mail-Enabled Security Group

* Navigate to your [Microsoft Exchange Admin Center](https://admin.exchange.microsoft.com/#/)
* In the left sidebar, navigate to Recipients > Groups

<figure><img src="/files/26muTQqrV5IbyoHX2vcQ" alt=""><figcaption><p>Click "Groups"</p></figcaption></figure>

* Click "Add a group"

<figure><img src="/files/GbebxRwqLtXW7GBw5Ncx" alt=""><figcaption><p>Add a Group</p></figcaption></figure>

* Select "Mail-enabled security," then click "Next"

<figure><img src="/files/pMXuUUpfc6LSyei81VE2" alt=""><figcaption><p>Click "Mail-enabled Security"</p></figcaption></figure>

* Name the group something memorable, such as "DropzoneAllowedInboxes," then click "Next"

<figure><img src="/files/MIhRay4UISgPzUymdwoJ" alt=""><figcaption><p>Assign a group name</p></figcaption></figure>

* Click "+ Assign Owners" and assign your desired owner from the list, then click "Add"

<figure><img src="/files/D04n2zuOS27rskOodsyo" alt=""><figcaption><p>Assign an owner</p></figcaption></figure>

* Click "+ Add Members" and add your desired members. Members will receive all emails sent to this email address, and will be able to send emails to it for Dropzone to analyze

<figure><img src="/files/VwDTDIycEvDNFczMzi5g" alt=""><figcaption><p>Add group members</p></figcaption></figure>

* In the "Edit Settings" section, create a memorable group email address, such as "<dropzone-allowed-inboxes@mycompany.net>"
* If you want people outside of your organization to be able to send emails to the group, check the box under "Communication"
* For added security, you may check the box under "Approval" to require owner permission to join the group

<figure><img src="/files/ZRmQ34v0kdHzMAfVkIQX" alt=""><figcaption><p>Configure the group email address</p></figcaption></figure>

* Click "Next," then click "Create Group"

See Microsoft's [documentation](https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-mail-enabled-security-groups) for more information

## Create an Application Access Restriction Policy

* Follow steps on the [Microsoft Integrations](https://gitlab.com/dropzone-ai/docs-gitbook/-/blob/main/docs.dropzone.ai/docs/integrations/alert/ms_alert/readme.md) page to create a new application in Microsoft Entra Admin Center (or use an existing application)
* Record your Client ID
* Navigate to your [Exchange Admin Center](https://admin.cloud.microsoft/exchange#/)
* In the upper right, click the terminal icon

<figure><img src="/files/WViqWidB1dvzfsdAJotr" alt=""><figcaption><p>The terminal icon</p></figcaption></figure>

* If you are not on Powershell, click "Switch to Powershell"
* Connect to Exchange Online by inputting the following code:

`Connect-ExchangeOnline`

* Input the following restriction policy

{% hint style="info" %}
Be sure to replace the AppID variable with the Client ID copied earlier and the GroupEmail variable with email address you just created
{% endhint %}

````$appid
$GroupEmail = "dropzone-allowed-inboxes@mycompany.net"

New-ApplicationAccessPolicy -AppId $AppId `
    -PolicyScopeGroupId $GroupEmail `
    -AccessRight RestrictAccess `
    -Description "Restricts Dropzone to specific inboxes only"```

* To test that Dropzone can only access the desired mailboxes, input the following code:
```Test-ApplicationAccessPolicy -AppId $AppId -Identity "allowed-mailbox@example.com"```
```Test-ApplicationAccessPolicy -AppId $AppId -Identity "any-other-mailbox@example.com"```

Allowed mailboxes should result in Granted, while denied mailboxes should return Denied

If you have any errors, engage your DropzoneAI support representative.
````


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.dropzone.ai/integrations/alert/ms_alert/ms365_email_group.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.