# Exchange Online via Restricted EWS Application (RBAC Scoping)
## Overview
Movebot supports connecting to Exchange Online using a restricted application configuration that limits mailbox access to a defined subset of mailboxes within the tenant.
This method introduces additional configuration complexity and is not recommended unless mailbox-level access restriction is required.
{% hint style="warning" %}
We recommend only administrators familiar with Exchange Online PowerShell and RBAC perform this setup. Contact support before proceeding if unsure.
{% endhint %}
## When should this be used instead of full access?
If you require:
* Restricting mailbox access to a defined subset of users
* Compliance controls preventing tenant-wide mailbox access
**If you are not subject to the above requirements, follow the** [**standard Exchange Online guide**](/connections/outlook-online-office-365-ews.md)**.**
## Requirements
To configure this connection method, you will need:
* A Movebot account
* An Exchange Online administrator account
* Access to Microsoft Entra ID
* PowerShell access to Exchange Online
## How to Configure Restricted EWS Access
1. **Create the application registration in Entra**
* Login to Entra as an administrator for your domain, and navigate to **App Registrations.**
* Click **New Registration**
* Specify a name for the new application. Leave the remaining fields as default. Click **Register.**
* Make a note of the **Application (Client) ID.** This will be entered into your Movebot configuration.
* Make a note of the **Tenant ID**. This will be needed in Movebot
* Configure the permissions. Click **API Permissions --> Add a Permission.**
* Select **APIs my organisation uses,** then search for **Office 365 Exchange Online.**
* Select **Application Permissions**
* Enable permission:
```
Exchange.ManageAsAppV2
```
* **Grant admin consent**
* Click **Certificates and Secrets** --> **Client Secrets** --> **New Client Secret**
* Copy the **Client Secret Value**
2. **Configure the Connection in Movebot**
The following information is must be entered into the Movebot EWS connector.
* **Tenant ID**
* **Email Address** (does not need to be an administrator account.)
* **Application Client ID**
* **Application Client Secret**
3. **Connect to Exchange Online using PowerShell**
```
Connect-ExchangeOnline
```
4. **Create a Mail-Enabled Security Group**
* Create a group that defines which mailboxes Movebot can access.
```
New-DistributionGroup -Name "EWS-App-Allowed-Mailboxes" -Type Security
```
* Add allowed mailboxes:
```
Add-DistributionGroupMember -Identity "EWS-App-Allowed-Mailboxes" -Member user@domain.com
```
* **Only mailboxes added to this group will be accessible.**
5. **Retrieve the Distinguished Name of Security Group**
```
Get-DistributionGroup "EWS-App-Allowed-Mailboxes" | Select DistinguishedName
```
* Copy the entire DistinguishedName value.
* Example:
```
CN=EWS-App-Allowed-Mailboxes,OU=contoso.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=AUSP913A004,DC=PROD,DC=OUTLOOK,DC=COM
```
6. **Create the Management Scope**
```
New-ManagementScope -Name "User Mailboxes" `
-RecipientRestrictionFilter "MemberOfGroup -eq 'FULL-DN-HERE'"
```
* **Replace `FULL-DN-HERE` with your group’s Distinguished Name.**
7. **Register the Service Principal**
* You will need:
* **Application ID (from App Registration)**
* **Object ID (from Enterprise Application)**
```
New-ServicePrincipal `
-AppId `
-ObjectId `
-DisplayName "Movebot-Restricted"
```
8. **Assign the EWS RBAC Role with Scope**
* ```
New-ManagementRoleAssignment `
-App `
-Role "Application EWS.AccessAsApp" `
-CustomResourceScope "User Mailboxes"
```
9. **Validate the Configuration**
* To confirm whether a mailbox is within scope:
```
Test-ServicePrincipalAuthorization `
-Identity `
-Resource user@domain.com
```
* **If the result shows: `InScope = True` the mailbox is accessible.**
## Important Notes
#### Connection Test Behaviour
When using restricted RBAC scoping, the Movebot connection test will fail by design.
This is expected behaviour and does not indicate a misconfiguration.
Because the application does not have organization-wide access, automatic mailbox discovery and validation are not supported.
#### Permission Propagation Delay
Permission updates and RBAC scope changes may not take effect immediately. In some environments, it can take up to an hour before access behaviour reflects the new configuration. If testing fails immediately after setup, wait and retry before troubleshooting further.
#### Mailbox Mapping Requirement
When using restricted access:
* Mailboxes must be mapped manually using [CSV Transfer Mapping](/using-movebot/transfer-mapping/import-csv-mappings.md).
* Only mailboxes included in the mail-enabled security group can be migrated.
* Mailboxes outside of the group will return HTTP 403 errors during migration.
## Common Errors
Error: 403 Forbidden
**Cause:** Mailbox is not a member of the mail-enabled security group used in the management scope.
**Fix:** Add the mailbox to the group and retry the migration.
## Supported Features
Movebot supports Exchange Online mailbox migrations using this configuration.
| Feature | Supported |
| ----------------- | --------------- |
| Mailbox Migration | Fully Supported |
| Shared Mailboxes | Fully Supported |
| Archive Mailboxes | Fully Supported |
| Calendar | Fully Supported |
| Contacts | Fully Supported |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.movebot.io/connections/other-connectors/exchange-online-via-restricted-ews-application-rbac-scoping.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.