Limit app authentication with User.Read.All to access only a certain group of users

HaakonS 21 Reputation points

I am connecting to an app which synchronizes calendar events from outlook.
It uses app level authentication meaning that I, as admin, grants access to all users in my AD, but I do not want it to have access to the calendar of my CEO (stock sensitive information).

After enabling the app, i have tried linking it to a user group in Enterprise Application > Users and Groups, but this does not seem to restrict the app from reading every other user in my AD which is not part of that group. In fact I have no idea what the added user does for me, it looks like adding things here has no effect.

How can I achieve restricting the third-party app's access to only members of a certain user group (or equivalent).

Things I have tried that fails:
I have tried using this PowerShell guide:
But as it turns out, I cannot add my Microsoft 364 group type because "The identety of the policy scope is not a security principal", but if I try and make a group with Security type and add this as new policy (using -PolicyScopeGroupId SecurityGroupName) I get the feedback that "The identity of the policy scope could not be resolved"

If I try and run -AccessRight DenyAccess on a single user, it appears as a new ApplicationAccessPolicy, but my app still has full access to the user - so the registered policy seem to do nothing.

The only thing that actually did something was to restrict access to a single user, this denied the app access to all other users, but in a company where I want access to 900 employees, this would mean creating 900 policys which I cannot imagine has been the designers intent... Also I think it is also limited how many policies one can create inside a single AD. However I do not want a policy for 850 out of 900 users, i want to be able to restrict the app authorization to a single group in AD. Preferably I want to specify this directly in the Azure portal, but a PowerShell approach (that actually works) would help me as well.

Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
4,943 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,243 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,825 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 96,836 Reputation points MVP

    The method you are referring to only applies to Exchange Online mailboxes, it does not affect the user object, or any related user-level permissions. It will work for example for Calendar.Read.All permissions, but not for User.Read.All.

    Anyway, to answer your question with regards to application access policies, you need to use a Mail-enabled security group. Microsoft 365 Groups are not valid security principals, as you have already observed. So, create a mail-enabled security group via the M365 Admin Center/Exchange Admin Center or PowerShell (you cannot use the Azure portal), populate it's membership and provide it as value for the -PolicyScopeGroupId parameter.

0 additional answers

Sort by: Most helpful