I am connecting to an app which synchronizes calendar events from outlook.
It uses app level authentication meaning that I, as admin, grants access to all users in my AD, but I do not want it to have access to the calendar of my CEO (stock sensitive information).
After enabling the app, i have tried linking it to a user group in Enterprise Application > Users and Groups, but this does not seem to restrict the app from reading every other user in my AD which is not part of that group. In fact I have no idea what the added user does for me, it looks like adding things here has no effect.
How can I achieve restricting the third-party app's access to only members of a certain user group (or equivalent).
Things I have tried that fails:
I have tried using this PowerShell guide:
But as it turns out, I cannot add my Microsoft 364 group type because "The identety of the policy scope is not a security principal", but if I try and make a group with Security type and add this as new policy (using -PolicyScopeGroupId SecurityGroupName) I get the feedback that "The identity of the policy scope could not be resolved"
If I try and run -AccessRight DenyAccess on a single user, it appears as a new ApplicationAccessPolicy, but my app still has full access to the user - so the registered policy seem to do nothing.
The only thing that actually did something was to restrict access to a single user, this denied the app access to all other users, but in a company where I want access to 900 employees, this would mean creating 900 policys which I cannot imagine has been the designers intent... Also I think it is also limited how many policies one can create inside a single AD. However I do not want a policy for 850 out of 900 users, i want to be able to restrict the app authorization to a single group in AD. Preferably I want to specify this directly in the Azure portal, but a PowerShell approach (that actually works) would help me as well.