25,157 questions
There isn't, you cannot currently scope down read-only directory permissions.
Is there any way , by using a service principal , to allow visibility only to a desired subset of Microsoft Entra ID?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 94%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Michalis Kyrou
0
Reputation points
The retrieval of information , containing the groups and users belonging to Microsoft Entra ID is done through Graph API using service principal which authorizes the following permissions:
User.Read.All , Group.Read.All
The service principal allows to retrieve global information of users and groups existing in the Azure tenant. In this case , there is a need to retrieve a subset of this information.
However filtering the information is not a solution for this case as it is a requirement that there is no access to groups and users outside the desired subset.
In addition a solution through the use of Administrative units has been considered , where in this case visibility to groups and users could be allowed by choice (with the appropriate permissions) but there is a limitation in the part of assigning each user to the group he/she belongs to as this requires additional permission for User.Read.All or Group.Read.All.
(https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units)
Is there any way for the service principal to allow visibility only to the desired subset of groups and their members?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
13,728 questions
{count} votes
-
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator2024-02-09T22:32:16.5266667+00:00 @Michalis Kyrou
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?- Since this currently is a product limitation, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this.
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator2024-02-16T05:25:13.5166667+00:00 Hi @Michalis Kyrou ,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Sign in to comment
1 answer
Sort by: Most helpful
-
Vasil Michev 119.7K Reputation points MVP Volunteer Moderator2024-02-06T09:42:52.9566667+00:00