How to Scope Application type API permissions

Question

How to Scope Application type API permissions

Bishnu Baliyase 130

Microsoft is currently supporting only below API permissions that can be scoped using Application Access Policy

Mail.Read
Mail.ReadBasic
Mail.ReadBasic.All
Mail.ReadWrite
Mail.Send
MailboxSettings.Read
MailboxSettings.ReadWrite
Calendars.Read
Calendars.ReadWrite
Contacts.Read
Contacts.ReadWrite
full_access_as_app (EWS)

However, there are numerous application type elevated permissions in our customer's tenant and those need to be scoped. Few of them are:

Directory.ReadWrite.All

Domain.ReadWrite.All

Tenant.ReadWrite.All

Sites.FullControl.All

Files.ReadWrite.All

Group.ReadWrite.All

DeviceManagementManagedDevices.ReadWrite.All

DeviceManagementConfiguration.ReadWrite.All

DeviceManagementManagedDevices.PrivilegedOperations.All

UserAuthenticationMethod.ReadWrite.All

AppRoleAssignment.ReadWrite.All

RoleManagement.ReadWrite.Directory

TeamMember.ReadWrite.All

TermStore.ReadWrite.All

..and more

How can we restrict and scope these permissions to a set of users /groups in a shared tenant environment.

Thank You

0 comments

Answer accepted by question author

0 additional answers

Your answer

Answer 1

CarlZhao-MSFT 46,456

Hi @Bishnu Baliyase

Application permissions are specific to the tenant scope, and we cannot restrict access of these permissions at the tenant scope. Fine-grained access for application permissions is currently only available for Exchange Online workloads and SharePoint Online workloads, and fine-grained access for other workloads will be rolled out soon.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Bishnu Baliyase 130 Reputation points

2023-05-30T11:13:13.5666667+00:00

Hello @CarlZhao-MSFT,

Thank you for your answer.

Is there any way to restrict the application permissions using Administrative Units or CA policies or any other method as currently not possible through Application Access Policy.

Thanks
Bishnu Baliyase 130 Reputation points

2023-06-01T13:11:42.0566667+00:00

Hello CarlZhao-MSFT,

Thank you for your answer.

Is there any way to limit and scope it using Administrative Units and /or Conditional Access Policies?

Thanks
CarlZhao-MSFT 46,456 Reputation points

2023-06-02T10:49:05.26+00:00

Hi @Bishnu Baliyase, sorry for the late reply.

As far as I know, this is not possible.

Application permissions are tenant-wide permissions, and we cannot restrict application permissions access using administrative units or conditional access policies. Fine-grained access restrictions on application permissions are currently only available for Exchange Online workloads and SharePoint Online workloads.

An administrative unit is a role-based rather than permission-based Azure AD resource, and it cannot be used to restrict application permissions for application/service principals. Application access policies can currently only be used to restrict application permissions access for Exchange Online workloads, not other workloads.

Hope this helps.

If it helps you, don't forget to click "Accept Answer".

Thanks,

Carl
Bishnu Baliyase 130 Reputation points

2023-06-07T12:55:28.8766667+00:00

Thank you CarlZhao-MSFT for your answer.
CarlZhao-MSFT 46,456 Reputation points

2023-06-08T02:21:40.7733333+00:00

Hi @Bishnu Baliyase, have a good day!

If the reply is helpful, don't forget to click "Accept Answer". This may help members in the community who are experiencing similar issues.

Thanks,

Carl Zhao

Share via

How to Scope Application type API permissions

0 additional answers

Your answer