Limit app authentication with User.Read.All to access only a certain group of users

HaakonS 21 Reputation points
2022-09-21T08:05:46.943+00:00

I am connecting to an app which synchronizes calendar events from outlook.
It uses app level authentication meaning that I, as admin, grants access to all users in my AD, but I do not want it to have access to the calendar of my CEO (stock sensitive information).

After enabling the app, i have tried linking it to a user group in Enterprise Application > Users and Groups, but this does not seem to restrict the app from reading every other user in my AD which is not part of that group. In fact I have no idea what the added user does for me, it looks like adding things here has no effect.

How can I achieve restricting the third-party app's access to only members of a certain user group (or equivalent).

Things I have tried that fails:
I have tried using this PowerShell guide:
But as it turns out, I cannot add my Microsoft 364 group type because "The identety of the policy scope is not a security principal", but if I try and make a group with Security type and add this as new policy (using -PolicyScopeGroupId SecurityGroupName) I get the feedback that "The identity of the policy scope could not be resolved"

If I try and run -AccessRight DenyAccess on a single user, it appears as a new ApplicationAccessPolicy, but my app still has full access to the user - so the registered policy seem to do nothing.

The only thing that actually did something was to restrict access to a single user, this denied the app access to all other users, but in a company where I want access to 900 employees, this would mean creating 900 policys which I cannot imagine has been the designers intent... Also I think it is also limited how many policies one can create inside a single AD. However I do not want a policy for 850 out of 900 users, i want to be able to restrict the app authorization to a single group in AD. Preferably I want to specify this directly in the Azure portal, but a PowerShell approach (that actually works) would help me as well.

Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
4,903 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,199 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,622 questions
0 comments
Accepted answer
  1. Vasil Michev 95,751 Reputation points MVP
    2022-09-21T08:48:19.503+00:00

    The method you are referring to only applies to Exchange Online mailboxes, it does not affect the user object, or any related user-level permissions. It will work for example for Calendar.Read.All permissions, but not for User.Read.All.

    Anyway, to answer your question with regards to application access policies, you need to use a Mail-enabled security group. Microsoft 365 Groups are not valid security principals, as you have already observed. So, create a mail-enabled security group via the M365 Admin Center/Exchange Admin Center or PowerShell (you cannot use the Azure portal), populate it's membership and provide it as value for the -PolicyScopeGroupId parameter.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest