How to limit Entra ID App registration API permissions to specific resources

Balaji Shinde 20 Reputation points
2023-10-26T04:05:05.73+00:00

Hi Team,

Currently we are reviewing all Entra ID App registration API permissions. We found 100+ apps with tenant wide API permissions, e.g. Group.ReadWrite.All, Application.ReadWrite.All. We are mainly concerned with Write.All permissions. Is there a way to limit these permissions to specific resources, e.g. specific groups, applications?

Also, is there a way to find what permissions the app requires exactly since many apps are overly permitted, last time we had to contact Azure support and they checked from the backend the specific permissions the App requires.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,694 questions
{count} votes

Accepted answer
  1. Philippe Signoret (Microsoft) 401 Reputation points Microsoft Employee
    2023-10-26T13:25:46.9966667+00:00

    For apps accessing data on behalf of signed-in users (delegated access, authorized with delegated permissions), your best option is (like @Andy David - MVP mentions), to limit which users can sign into the app, which will limit which user's data (and data accessible by those users) the app can access.

    For apps accessing data directly (direct/app-only access, authorized with app roles (application permissions) and other flavors of authorization grants and role assignments), you have some alternative authorization options, depending on the type of data being accessed:

    Note that many of these approaches require working with the app publisher/owner/developer, to ensure the app can still function as required.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 147.9K Reputation points MVP
    2023-10-26T11:45:32.9433333+00:00

    Its hard to know not knowing what these apps do and there is no way we would know what permissions the apps actually require. If you feel they are over permissioned, remove that perm and see if that breaks things.

    I would also suggest restricting the apps to specific users/service principals to start, but this is going to take some work on your part to track down the usage of each:

    https://learn.microsoft.com/en-us/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users

    Going forward, restrict who can consent apps and enforce strict permissions requirements

    https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.