Utilising the PowerShell command New-ApplicationAccessPolicy, you can optionally restrict the Calenders.ReadWrite.All or Calenders.ReadBasic.All Graph API access scopes to a pre-defined mailbox security group. 

Let's use the example below to illustrate the point, with 4 meeting room calendars (a.k.a. Room Mailbox Resources in Exchange).

In this example, the calendar events from 'Executive Meeting Room' must not be accessible by the platform - we want to restrict the access to it.

The steps we need to complete are: 

1. Ensure we have at a minimum permissions within Exchange Admin Center.
2. Create a Mail-enabled Security Group within Exchange Admin Center with the allowed Calendar resources added as Members.
3. Create a new Application Access Policy and link both the Microsoft Entra App for the platform (see here for Graph API details) and the Mail-enabled Security Group.

Note: The following instructions are a guide and you should verify the scripts before running them in your environment, as these instructions may slightly vary.

1. Checking your permissions (optional)

If you know you already have Exchange Administrator or Microsoft 365 Administrative permissions, then you can skip this check.

Update the below script to your User Principle Name (typically this is your email address).

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName "your.admin@yourdomain.com"

# Get current user
$currentUser = (Get-ConnectionInformation).UserPrincipalName

# Get all management role assignments for the user
$roles = Get-ManagementRoleAssignment -RoleAssignee $currentUser

# Define roles known to grant the required permissions
$validRoles = @(
    'Recipient Management',
    'Organization Management',
    'Mail Recipients',            # Optional fallback for some group tasks
    'Security Group Creation and Membership'  # If hybrid/Azure delegated
)

# Output roles the user has from the list
$matchedRoles = $roles | Where-Object { $validRoles -contains $_.Role }

# Display results
if ($matchedRoles) {
    Write-Host "`n You have sufficient permissions via the following role(s):" -ForegroundColor Green
    $matchedRoles | Format-Table Role, RoleAssigneeName, AssignmentMethod
} else {
    Write-Host "`n You do NOT have the required roles to run group or application policy commands." -ForegroundColor Red
    Write-Host "Please request one of the following roles: $($validRoles -join ', ')"
}

$disconnect = Read-Host "`n Would you like to disconnect from Exchange Online? (Y/N)"
if ($disconnect -match '^[Yy]') {
    Disconnect-ExchangeOnline -Confirm:$false
    Write-Host "Disconnected from Exchange Online." -ForegroundColor Yellow
} else {
    Write-Host "Leaving session connected." -ForegroundColor Cyan
}

1. Open up PowerShell with Administrative permissions.
2. Run the command: Import-Module ExchangeOnlineManagement
3. Copy the script above (or download 'Check-ExchangePermissions.ps1' below) to a text editor (Notepad or similar) and edit the -UserPrincipalName to your value. Once changed, copy all the text and paste it into your PowerShell window, and 
4. An example successful validation: 
5. If you got a message about not having the right roles, please speak to your M365 or Exchange Administrator to proceed.

2. Create a Mail-enabled Security Group

1. Go to: https://admin.microsoft.com and login with the same account from '1. Checking your permissions' of this guide.
2. In the left-hand navigation menu, select “Active teams & Groups”.
3. Select the 'Security groups' tab in the right-side window
4. Click the button, 'Add a mail-enabled security group'.
5. Run through the wizard to create a name, e.g. 'Smart Building Calendar Group' and complete the wizard adding in the Owner(s) and Members of the group. The Members are the Room Resource calendars that you want to appear in the platform for management.
6. Review the settings, then click 'Create group', noting that the assigned 'Group Email Address' will be used later on in this process. Note this down if you need it.

3. Create and assign an Application Access Policy

To assign the application access policy to the Entra App (created when assigning MS Teams Graph Permissions to the platform) and the mail-enable security group we need to know some details before we can run the script.

Getting the MS Graph Application ID

1. Sign into Microsoft Entra at https://entra.microsoft.com/ with you account from '1. Checking your permissions' of this guide. 
2. In the left menu, navigate to 'Applications' > 'App Registrations'.
3. Click and select the application that has been set up for this platform when originally onboarding.
4. In the 'Overview' screen, copy the 'Application (client) ID' value.

Assign an Application Access Policy

1. Open up PowerShell with Administrative permissions.
2. Run the command: Import-Module ExchangeOnlineManagement
3. Connect to Exchange Online using the command: Connect-ExchangeOnline -UserPrincipalName "your.admin@yourdomain.com"
4. To create and assign the policy, run the command below, making sure to update the highlighted fields with your own values:

New-ApplicationAccessPolicy -AppID <application ID> -PolicyScopeGroupId <mail-enabled group email address> - AccessRight RestrictAccess -Description "Restrict Smart Buildings Calendars to a specific group only"

The AppID field can be used to test the application access policy using the command 'Test-ApplicationAccessPolicy', but it's outside the scope of this guide. Further reading can be found here.