Restrict Gong’s access to mailboxes

  • Updated on May 13, 2026
  • Published on Dec 25, 2024
  • 4 minute(s) read
Prev Next

Who can use this: Tech admin, Global Entra ID admin

Available on: Any Gong plan

This article provides two methods for limiting Gongs access to your company’s Google mailboxes to a specific mail-enabled security group only. Choose between:

  1. Mail-enabled security group configured with Microsoft Entra ID

  2. Administrative unit configured in Microsoft Entra  

Replace gongusers@domain.org with the address associated with the mail-enabled security group you create as part of the steps below.

Option 1: Mail-enabled security group

A mail-enabled security group controls which mailboxes Gong can access. You can set this up manually through Microsoft Entra ID, or run a single PowerShell script that combines all the steps.D

Set up a security group in Microsoft Entra ID

Create and test the mail-enabled security group in Microsoft Entra ID.

To set up the security group in Microsoft Entra ID:

  1. If needed, install Powershell, the Powershell AzureAD Module, and the Powershell Exchange Online Module V2. 

    Install-Module Entra IDAD -Force -Scope CurrentUser
Install-Module ExchangeOnlineManagement -Force -Scope CurrentUser

  2. In Exchange Admin on the web portal, create a mail-enabled security group. Add users whose mailboxes you want Gong to access to this group.  [gongusers@domain.org]

  3. Create or authorize the Enterprise Application/Integration and record the Application ID (AppId) from the Overview page. By default the Gong.io application installs with read access to every mailbox/calendar.

  4. Open Powershell (as an administrator) and connect to ExchangeOnline.

    Connect-ExchangeOnline -UserPrincipalName user@domain.org -ShowProgress $true

  5. Create an Application Access Policy that restricts the application you created to only accessing data in mailboxes/calendars that are part of the security group you created.

    New-ApplicationAccessPolicy -AppId <appid> -PolicyScopeGroupId gongusers@domain.org -AccessRight RestrictAccess
                -Description “Restrict Gong.io Application to accessing only data belonging to members of gongusers@domain.org”

  6. Test your policy by running this command with a user in the group and a user who isn’t in the group: 

    Test-ApplicationAccessPolicy -Identity user@domain.org -AppId <appID>

    If the user is in the group the result should be: AccessCheckResult : Granted

    If the user isn’t in the group the result should be: AccessCheckResult : Denied

Set up a security group using a PowerShell script

This PowerShell script creates a mail-enabled security group. You don't need to run it if you've already set one up via Microsoft Entra ID.

Important:

Disclaimer: Use this approach only after you have reviewed the powershell script and feel comfortable that it will work as intended for your use case. Gong does not guarantee that this will work in your environment.

To set up the security group with a PowerShell script:

  1. Install required PowerShell modules, if necessary.

    Install-Module Entra IDAD -Force -Scope CurrentUser
Install-Module ExchangeOnlineManagement -Force -Scope CurrentUser

  2. Copy & edit the PowerShell Script below as follows:

  1. Replace gongusers@your-domain.com with the address defined for the mail-enabled security group you created for the $policyScopeGroupId parameter

  2. Replace access-granted@your-domain.com with the UPN of the user identity added to the Gong-specific mail-enabled security group for the $gongAccessGranted parameter

  3. Replace access-denied@your-domain.com with the UPN of the identity you noted, and who is not a part of the mail-enabled security group, as a result of Step 4 for the parameter named $gongAccessDenied

    ###################### BEGIN POWERSHELL SCRIPT ##############################
$applicationID = 'bd068d3a-1a1b-4dd7-add3-a599de1f3408'
$policyScopeGroupID = 'gongusers@your-domain.com'
# Create the Application Access Policy
New-ApplicationAccessPolicy -AppId $applicationID -PolicyScopeGroupId $policyScopeGroupID -AccessRight RestrictAccess -Description "Restrict Gong.io Application to access only data belonging to members of $policyScopeGroupID"
# Test the policy
$gongAccessGranted = 'access-granted@your-domain.com'
$gongAccessDenied = ‘access-denied@your-domain.com’
# Test Gong’s access to a member of the mail-enabled security group
$accessResult1 = Test-ApplicationAccessPolicy -Identity $gongAccessGranted -AppId $applicationID
if ($accessResult.AccessCheckResult -eq 'Granted') {
   Write-Host "Gong access granted"
   } 
else {
   Write-Host "Gong access denied"
   }
# Test Gong’s access to an identity that is not apart of the mail-enabled security group
$accessResult2 = Test-ApplicationAccessPolicy -Identity $gongAccessDenied -AppId $applicationID
if ($accessResult.AccessCheckResult -eq 'Granted') {
   Write-Host "Gong access granted"
   } 
else {
   Write-Host "Gong access denied"
###################### END POWERSHELL SCRIPT ##############################

  4. Save your changes and run the PowerShell Script as a .ps1 file (gong.ps1)

Option 2: Admin Unit in Microsoft Entra

If you manage users/groups in Microsoft Entra you can create an administrative unit for scoping.

Step 1: Create an administrative unit

An administrative unit is a container in Microsoft Entra that lets you group specific users, limiting what applications like Gong can access.

To create an administrative unit:

  1. As global admin go to: Administrative units - Microsoft Entra admin center

  2. Create a new admin unit with following settings:

    1. Name: GONG-ADMIN-UNIT

    2. Description: Administrative unit containing users the GONG application can access mail and calendars in read only mode.

    3. Restricted management administrative unit: NO

    4. Assigned role: None

  3. Add the users you want to allow Gong access to.

  4. In the admin unit, select Properties on the left panel. Copy the Object ID <Admin unit object ID> of the admin unit for use in the next steps.

Step 2: Scope application permission in Exchange Online

Use the following scripts to give Gong read access to the group’s emails and calendars.  

New-ServicePrincipal -AppId "bd068d3a-1a1b-4dd7-add3-a599de1f3408"
        -objectId "61d5fe2e-a67d-4d93-842a-225e8756ff86"
        -displayName "Gong - Mailbox Integration"
New-ManagementRoleAssignment -Name "MailRead"
        -App "bd068d3a-1a1b-4dd7-add3-a599de1f3408"
        -Role "Application Mail.Read"
        -RecipientAdministrativeUnitScope "<Admin unit object ID>"
New-ManagementRoleAssignment -Name "CalendarRead"
        -App "bd068d3a-1a1b-4dd7-add3-a599de1f3408"
        -Role "Application Calendars.Read"
        -RecipientAdministrativeUnitScope "<Admin unit object ID>"

Step 3: If you have Gong Engage

For Gong Engage users, Gong needs read/write permissions to emails. Use the following scripts to give read/write access:  

New-ManagementRoleAssignment -Name "MailReadWrite"
        -App "bd068d3a-1a1b-4dd7-add3-a599de1f3408"
        -Role "Application Mail.ReadWrite"
        -RecipientAdministrativeUnitScope "<Admin unit object ID>" 
New-ManagementRoleAssignment -Name "MailSend"
        -App "bd068d3a-1a1b-4dd7-add3-a599de1f3408"
        -Role "Application Mail.Send"
        -RecipientAdministrativeUnitScope "<Admin unit object ID>"

Related articles