Restrict Gong’s access to mailboxes

This article provides methods for allowing Gong to access a specific mail-enabled security group only. Replace [email protected] with the address associated with the mail-enabled security group you create as part of the steps below.

In Microsoft Azure

If you manage users/groups in Microsoft Azure do the following:

1. Install Powershell, the Powershell AzureAD Module, and the Powershell Exchange Online Module V2

2. In Exchange Admin on the web portal, create a mail-enabled security group. Add users whose mailboxes you want Gong to access to this group.  [[email protected]]

3. Create or authorize the Enterprise Application/Integration and record the Application ID from the Overview page. By default the Gong.io application installs with read access to every mailbox/calendar.

4. Open Powershell (as administrator) and connect to ExchangeOnline

   Connect-ExchangeOnline -UserPrincipalName [email protected] -ShowProgress $true 

5. Create an Application Access Policy that restricts the application you created to only accessing data in mailboxes/calendars that are part of the security group you created

   New-ApplicationAccessPolicy -AppId <appid> -PolicyScopeGroupId [email protected] -AccessRight RestrictAccess 
   -Description “Restrict Gong.io Application to accessing only data belonging to members of [email protected]” 

6. Test your policy

   Test-ApplicationAccessPolicy -Identity [email protected] -AppId <appID> 

If the identity is in the group you created the result returned should read: AccessCheckResult : Granted

If the identity is not in the group you created the result returned should read: AccessCheckResult : Denied

Instructions + PowerShell script

Important:

Disclaimer: Use this approach only after you have reviewed the steps, powershell script and feel comfortable that it will work as intended for your use case. Gong does not guarantee that this will work in your environment.

1. Install required PowerShell modules, if necessary.

   Install-Module AzureAD -Force -Scope CurrentUser
   Install-Module ExchangeOnlineManagement -Force -Scope CurrentUser

2. Create a mail-enabled security group in the Exchange Admin Portal (Microsoft Admin Portal). For example, “Gong Recorded Users” ([email protected]).

3. Add one person to this mail-enabled security group. This person should be part of the larger group of recorded Gong users. Note the person’s User Principle Name (UPN).

4. Make note of the User Principle Name (UPN) of any other person who is not a part of this mail-enabled security group and who Gong should have no level of access.

5. Connect to Exchange Online (as administrator)

   Connect-ExchangeOnline -UserPrincipalName [email protected] -ShowProgress $true

   Replace [email protected] with your UPN (Exchange Administrator)

6. Copy & edit the PowerShell Script below as follows:

1. Replace [email protected] with the address defined for the mail-enabled security group you created for the $policyScopeGroupId parameter

2. Replace [email protected] with the UPN of the user identity added to the Gong-specific mail-enabled security group for the $gongAccessGranted parameter

3. Replace [email protected] with the UPN of the identity you noted, and who is not a part of the mail-enabled security group, as a result of Step 4 for the parameter named $gongAccessDenied

   ###################### BEGIN POWERSHELL SCRIPT ##############################
   $applicationID = 'bd068d3a-1a1b-4dd7-add3-a599de1f3408'
   $policyScopeGroupID = '[email protected]'
   # Create the Application Access Policy
   New-ApplicationAccessPolicy -AppId $applicationID -PolicyScopeGroupId $policyScopeGroupID -AccessRight RestrictAccess -Description "Restrict Gong.io Application to access only data belonging to members of $policyScopeGroupID"
   # Test the policy
   $gongAccessGranted = '[email protected]'
   $gongAccessDenied = ‘[email protected]’
   # Test Gong’s access to a member of the mail-enabled security group
   $accessResult1 = Test-ApplicationAccessPolicy -Identity $gongAccessGranted -AppId $applicationID
   if ($accessResult.AccessCheckResult -eq 'Granted') {
       Write-Host "Gong access granted"
   } else {
       Write-Host "Gong access denied"
   }
   # Test Gong’s access to an identity that is not apart of the mail-enabled security group
   $accessResult2 = Test-ApplicationAccessPolicy -Identity $gongAccessDenied -AppId $applicationID
   if ($accessResult.AccessCheckResult -eq 'Granted') {
        Write-Host "Gong access granted"
   } else {
       Write-Host "Gong access denied"
   ###################### END POWERSHELL SCRIPT ##############################

4. Save your changes and run the PowerShell Script as a .ps1 file (gong.ps1)

In Microsoft Entra

If you manage users/groups in Microsoft Entra do the following:

Create an administrative unit for scoping

1. As global admin go to: Administrative units - Microsoft Entra admin center

2. Create a new admin unit with following settings:

   1. Name: GONG-ADMIN-UNIT

   2. Description: Administrative unit containing users the GONG application can access mail and calendars in read only mode.

   3. Restricted management administrative unit: NO

   4. Assigned role: None

3. Add the users you want to allow Gong access to.

4. In the admin unit, select Properties on the left panel. Copy the Object ID <Admin unit object ID> of the admin unit for use in the next steps.

Scope application permission in Exchange Online

Use the following scripts to give Gong read access to the group’s emails and calendars.  

New-ServicePrincipal -AppId  "bd068d3a-1a1b-4dd7-add3-a599de1f3408"
-objectId "61d5fe2e-a67d-4d93-842a-225e8756ff86" 
-displayName "Gong - Mailbox Integration"

New-ManagementRoleAssignment -Name "MailRead"
-App "bd068d3a-1a1b-4dd7-add3-a599de1f3408"  
-Role "Application Mail.Read"  
-RecipientAdministrativeUnitScope "<Admin unit object ID>"

New-ManagementRoleAssignment -Name "CalendarRead" 
-App "bd068d3a-1a1b-4dd7-add3-a599de1f3408"
-Role "Application Calendars.Read"
-RecipientAdministrativeUnitScope "<Admin unit object ID>"

If you have Gong Engage

For Gong Engage users, Gong needs read/write permissions to emails. Use the following scripts to give read/write access:  

New-ManagementRoleAssignment -Name "MailReadWrite" 
-App "bd068d3a-1a1b-4dd7-add3-a599de1f3408"
-Role "Application Mail.ReadWrite"
-RecipientAdministrativeUnitScope "<Admin unit object ID>" 

New-ManagementRoleAssignment -Name "MailSend" 
-App "bd068d3a-1a1b-4dd7-add3-a599de1f3408"
-Role "Application Mail.Send"
-RecipientAdministrativeUnitScope "<Admin unit object ID>" 

Remove graph API mail and calendar global access

Remove Gong’s global read/write access to mail and calendar objects:

1. Go to the Enterprise app in Entra ID

2. Find “Gong - Mailbox integration” application and remove the following global consented permissions

   1. Calendars.Read

   2. Mail.Read

   3. Mail.ReadWrite

   4. Mail.Send