Graph API app permissions restricting to user or groups

Vikram Lamba 5 Reputation points
2023-10-28T07:49:25+00:00

Hey Msft,

GRAPH API is very helpful and powerful to return the information. As you know there are two moded on it as mentione here :

https://learn.microsoft.com/en-us/graph/auth/auth-concepts

App and delegated access.

For our recurring use cases we need App Access ( as no user auth is needed) and the permissions can be restricted via scopes as well.

However the issue is when an App is given one scope permission let say User.Read or Mail.ReadBasic.All or anything, the "App" which is granted this scope gets the ability to perform operation for that scope with ALL users/objects in Azure Tenancy.

For example If there are 100K users in that tenancy app can read ( for the scopes granted) for all users , but from a bussiness function may this is only needed for 5K users, app has no need to excessive access to read that for remaining 95K users.

Is there a way to restrict this ? This seems way to excessive in terms of permissions.

Thanks,

VIkram

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,907 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,062 questions
{count} vote

1 answer

Sort by: Most helpful
  1. James Hamil 24,921 Reputation points Microsoft Employee
    2023-10-31T04:03:23.1033333+00:00

    Hi @Vikram Lamba You can restrict the access of an app with application permissions by using scoped access. However, Microsoft Graph API does not provide a direct way to restrict access to a specific set of users through the Azure portal. One possible solution is to implement additional logic in your application to filter the users based on your business requirements. This way, even though the app has access to all users, it will only process the data for the users you specify.

    Another approach is to use delegated permissions instead of application permissions. Delegated permissions allow your app to perform operations on behalf of the logged-in user, and you can control which users have access to your app. However, this method requires user authentication and may not be suitable for your use case if you need app-only access without user interaction. Hope this helps!

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.