To enable Cloudmersive Email Protection for selected users, and to limit permissions to only those users, follow these steps. The Cloudmersive Email Protection service will only have access to the emails of members of this security group.

• First, navigate to Entra ID, Manage, App Registrations and click on New Registration.
• Name the application CloudmersiveEmailProtect and under account type click on Single Tenant. Click on Register.
• Under this application, click on Certificates and Secrets and Client Secrets and then New Client Secret. We recommend selecting a long expiration. Be sure to note down the expiration date of the expiration as the key will need to be rotated, and the settings for Cloudmersive Email Protection will need to be updated prior to this date.
• Open a new browser tab and navigate to the Exchange Admin Center. Click on Groups, and then Mail-enabled Security. Click on Add a group. Under group type, select Mail-enabled security. Name the group CloudmersiveEmailProtect. Assign at least one owner including yourself; note that an owner is not a member. Add the appropriate members; these are the users who will have email protection enabled. Note that you can also add Shared Mailboxes as members if needed. Select an appropriate alias. Enable Require owner approval to join the group. Click Create Group.
• At the top of the screen in Exchange Admin Center click on Cloud Shell. Execute this command:

Connect-ExchangeOnline

• Now execute this command:

$g = Get-Group -Identity "CloudmersiveEmailProtect"

• Now we will create the management scope that corresponds with this group:

New-ManagementScope -Name "Scope-CloudmersiveEmailProtect" `
  -RecipientRestrictionFilter "((RecipientTypeDetails -eq 'UserMailbox') -or (RecipientTypeDetails -eq 'SharedMailbox')) -and (MemberOfGroup -eq '$($g.DistinguishedName)')"

• Now run this command, but fill in the Client ID for the application we created previously:

$appId = "YOUR-APPLICATION-CLIENT-ID-HERE"

• In your other Entra ID tab go to the Entra ID home then Enterprise Applications then CloudmersiveEmailProtectProd and copy the Object ID. Now go back to your Exchange Admin Center, Cloud Shell tab, and paste in the following command filling in the Object ID:

$spObjectId = "YOUR-OBJECT-ID-HERE"

• Now execute this command:

New-ServicePrincipal -AppId $appId -ObjectId $spObjectId -DisplayName "CloudmersiveEmailProtectPrincipal"

• Now execute this command to grant mail read and write permissions to the application, but only to this user group scope:

New-ManagementRoleAssignment   -Name "AppMailReadWrite-AllowedGroup"   -App $spObjectId   -Role "Application Mail.ReadWrite"   -CustomResourceScope "Scope-CloudmersiveEmailProtect"

• Now execute this command to grant mail settings read and write (used to create and manage mail categories) to the application, but only to this user group scope:

New-ManagementRoleAssignment   -Name "AppMailSettingsReadWrite-AllowedGroup"   -App $spObjectId   -Role "Application MailboxSettings.ReadWrite"   -CustomResourceScope "Scope-CloudmersiveEmailProtect"