- Print
- DarkLight
- PDF
Restrict Gong’s access to mailboxes
This article provides methods for allowing Gong to access a specific mail-enabled security group only. Replace [email protected] with the address associated with the mail-enabled security group you create as part of the steps below.
In Microsoft Azure
If you manage users/groups in Microsoft Azure do the following:
Install Powershell, the Powershell AzureAD Module, and the Powershell Exchange Online Module V2
In Exchange Admin on the web portal, create a mail-enabled security group. Add users whose mailboxes you want Gong to access to this group. [[email protected]]
Create or authorize the Enterprise Application/Integration and record the Application ID from the Overview page. By default the Gong.io application installs with read access to every mailbox/calendar.
Open Powershell (as administrator) and connect to ExchangeOnline
Connect-ExchangeOnline -UserPrincipalName [email protected] -ShowProgress $true
Create an Application Access Policy that restricts the application you created to only accessing data in mailboxes/calendars that are part of the security group you created
New-ApplicationAccessPolicy -AppId <appid> -PolicyScopeGroupId [email protected] -AccessRight RestrictAccess -Description “Restrict Gong.io Application to accessing only data belonging to members of [email protected]”
Test your policy
Test-ApplicationAccessPolicy -Identity [email protected] -AppId <appID>
If the identity is in the group you created the result returned should read: AccessCheckResult : Granted
If the identity is not in the group you created the result returned should read: AccessCheckResult : Denied
Instructions + PowerShell script
Important:
Disclaimer: Use this approach only after you have reviewed the steps, powershell script and feel comfortable that it will work as intended for your use case. Gong does not guarantee that this will work in your environment.
Install required PowerShell modules, if necessary.
Install-Module AzureAD -Force -Scope CurrentUser Install-Module ExchangeOnlineManagement -Force -Scope CurrentUser
Create a mail-enabled security group in the Exchange Admin Portal (Microsoft Admin Portal). For example, “Gong Recorded Users” ([email protected]).
Add one person to this mail-enabled security group. This person should be part of the larger group of recorded Gong users. Note the person’s User Principle Name (UPN).
Make note of the User Principle Name (UPN) of any other person who is not a part of this mail-enabled security group and who Gong should have no level of access.
Connect to Exchange Online (as administrator)
Connect-ExchangeOnline -UserPrincipalName [email protected] -ShowProgress $true
Replace [email protected] with your UPN (Exchange Administrator)
Copy & edit the PowerShell Script below as follows:
Replace [email protected] with the address defined for the mail-enabled security group you created for the $policyScopeGroupId parameter
Replace [email protected] with the UPN of the user identity added to the Gong-specific mail-enabled security group for the $gongAccessGranted parameter
Replace [email protected] with the UPN of the identity you noted, and who is not a part of the mail-enabled security group, as a result of Step 4 for the parameter named $gongAccessDenied
###################### BEGIN POWERSHELL SCRIPT ############################## $applicationID = 'bd068d3a-1a1b-4dd7-add3-a599de1f3408' $policyScopeGroupID = '[email protected]' # Create the Application Access Policy New-ApplicationAccessPolicy -AppId $applicationID -PolicyScopeGroupId $policyScopeGroupID -AccessRight RestrictAccess -Description "Restrict Gong.io Application to access only data belonging to members of $policyScopeGroupID" # Test the policy $gongAccessGranted = '[email protected]' $gongAccessDenied = ‘[email protected]’ # Test Gong’s access to a member of the mail-enabled security group $accessResult1 = Test-ApplicationAccessPolicy -Identity $gongAccessGranted -AppId $applicationID if ($accessResult.AccessCheckResult -eq 'Granted') { Write-Host "Gong access granted" } else { Write-Host "Gong access denied" } # Test Gong’s access to an identity that is not apart of the mail-enabled security group $accessResult2 = Test-ApplicationAccessPolicy -Identity $gongAccessDenied -AppId $applicationID if ($accessResult.AccessCheckResult -eq 'Granted') { Write-Host "Gong access granted" } else { Write-Host "Gong access denied" ###################### END POWERSHELL SCRIPT ##############################
Save your changes and run the PowerShell Script as a .ps1 file (gong.ps1)
In Microsoft Entra
If you manage users/groups in Microsoft Entra do the following:
Create an administrative unit for scoping
As global admin go to: Administrative units - Microsoft Entra admin center
Create a new admin unit with following settings:
Name: GONG-ADMIN-UNIT
Description: Administrative unit containing users the GONG application can access mail and calendars in read only mode.
Restricted management administrative unit: NO
Assigned role: None
Add the users you want to allow Gong access to.
In the admin unit, select Properties on the left panel. Copy the Object ID <Admin unit object ID> of the admin unit for use in the next steps.
Scope application permission in Exchange Online
Use the following scripts to give Gong read access to the group’s emails and calendars.
New-ServicePrincipal -AppId "bd068d3a-1a1b-4dd7-add3-a599de1f3408"
-objectId "61d5fe2e-a67d-4d93-842a-225e8756ff86"
-displayName "Gong - Mailbox Integration"
New-ManagementRoleAssignment -Name "MailRead"
-App "bd068d3a-1a1b-4dd7-add3-a599de1f3408"
-Role "Application Mail.Read"
-RecipientAdministrativeUnitScope "<Admin unit object ID>"
New-ManagementRoleAssignment -Name "CalendarRead"
-App "bd068d3a-1a1b-4dd7-add3-a599de1f3408"
-Role "Application Calendars.Read"
-RecipientAdministrativeUnitScope "<Admin unit object ID>"
If you have Gong Engage
For Gong Engage users, Gong needs read/write permissions to emails. Use the following scripts to give read/write access:
New-ManagementRoleAssignment -Name "MailReadWrite"
-App "bd068d3a-1a1b-4dd7-add3-a599de1f3408"
-Role "Application Mail.ReadWrite"
-RecipientAdministrativeUnitScope "<Admin unit object ID>"
New-ManagementRoleAssignment -Name "MailSend"
-App "bd068d3a-1a1b-4dd7-add3-a599de1f3408"
-Role "Application Mail.Send"
-RecipientAdministrativeUnitScope "<Admin unit object ID>"
Remove graph API mail and calendar global access
Remove Gong’s global read/write access to mail and calendar objects:
Go to the Enterprise app in Entra ID
Find “Gong - Mailbox integration” application and remove the following global consented permissions
Calendars.Read
Mail.Read
Mail.ReadWrite
Mail.Send