Limit the scope of Azure portal app permission

Suhani Bhargava 0

Hi, I am a Salesforce developer. I am working on a use case trying to access get a user's outlook availability through microsoft graph api. I created an application on azure portal and am using client credentials to generate access token and then trying to access the getSchedule api for a user. While giving api permission on the azure portal app, we are not able to give specific user's / calendar access to the app, instead there are only readAll permission for both users and calendar both objects. Can we limit the scope of ReadAll and limit it to a specific set/group of users.? Also . if its possible we can also connect on a call to discuss the use case . Thanks

1 answer

Vasil Michev 106.6K Reputation points MVP

2024-09-26T07:10:51.43+00:00

By default, application permissions are tenant-wide, you get unrestricted access to all resources you've been granted permissions for. It's usually best to run in the delegate permissions context instead, where the effective permissions of your app will be limited to what a given user can access.

That said, for the Exchange scenario application permissions can be further restricted as detailed in this document: https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac
Please sign in to rate this answer.
Suhani Bhargava 0 Reputation points

2024-09-26T11:10:49.6433333+00:00

Hi @Vasil Michev , Thank you for your response and suggestion to use delegated permission. While using delegated permission too, when generating the access token, a notification goes to the admin of the domain to give the permissions to the delegated user (please refer the screenshot attached) , which again could be a security breach since the admin permissions are being compromised. Any thoughts on this or an alternative approach how can we handle the use case ?

Vasil Michev 106.6K Reputation points MVP

2024-09-26T12:01:00.5933333+00:00

Nothing is being compromised, this is how consent works. Only an admin can consent to the permissions you requested in this case. They can grant permissions to specific user(s), or to the entire tenant, as needed. If you need additional information on how consent works with delegate permissions, read here: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/user-admin-consent-overview

As mentioned above, you can also restrict application permissions in the case of Exchange Online.

CarlZhao-MSFT 42,046 Reputation points

2024-09-30T11:45:20.99+00:00

Hi @Suhani Bhargava

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily. Thank you very much!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Limit the scope of Azure portal app permission

1 answer

Your answer