Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,574 questions
Is it possible to scope API Permissions in an Azure App Registration to a single domain in an Azure Tenant?
Patrick Tyler
6
Reputation points
I am working on a project where there are several domains consolidated into a single Azure tenant. When creating an app registration and adding API permissions, I would like the ability to scope the app registration to a defined scope of directory entries - specifically 1 or 2 domains versus the 100 in the single tenant. I need the API permissions of Directory.Read.All (but just for a defined scope) and AuditLog.Read.All (for the same defined scope). I am coming up empty on how to reduce the visibility scope of the App Registration to a defined scope versus the entire Azure directory. Is this possible? If so, how might I be able to do this?
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 27,886 Reputation points Microsoft Employee2022-11-14T08:57:50.953+00:00 @Patrick Tyler Apologies for the delay in reviewing this post, As I understand you want to restrict the access of the application based on the domain which is registered in Azure AD tenant.
Just wanted to check if you have got a chance to review this article Security best practices for application properties in Azure Active Directory for the ask which you are looking for.
Let me know if you have any further questions, if required we can connect offline.
Sign in to comment