How to limit the scope of User.Read.All to specific subset of users

Question

I am trying to develop an application using Graph API that gets the list of users (with their name and email/UPN) in an AzureAD tenant.

I have managed to make this work, but now I want to limit the scope of users that I fetch by a group or something, instead of getting all users in that tenant.

I know that I can use query parameters to filter users, but I do not want to rely on that: the fact that my app would still have the permission to query all users, if it wants to, is not acceptable for this case.

So I was wondering if there is a way to achieve this at the permission level. Something like: there is an admin who has a scoped access only to a subset of users, and if my app uses delegated permission of this admin, my app can only get the list of users that he has permission to view. Please note that I want to limit not only write, but also read permission.

Is there a way to do this? Please help me...

Answer 1

Technically speaking, Graph permissions are assigned directory-wide. In the delegate permissions model though, the effective permissions are the subset of those assigned to the app and the permissions assigned to the user, so you should be able to scope it by scoping the user's role assignment. Take a look at the administrative units functionality and leverage them to scope the user's admin role(s): https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units

Do note that no method exists to limit read permissions, as every user ("member") within the directory can read other user's information.