More granular application specific Application.Read.All

Chaitanya Kale 40 Reputation points
2024-12-17T14:22:18.7066667+00:00

Is there an alternative available to use a more granular permission than Application.Read.All to read only permission granted to a specific application? We have a customer feedback that ideally there should be a way to only grant permission to an application only read permissions granted to itself. If not possible as of today, is this something under consideration? We're already using app Id as a filter in the API request, but the ask is to not have API return the data without passing the app Id - to avoid the risk of an application accidentally receiving permissions for other applications in the tenant.

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
10,633 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,751 questions
0 comments No comments
{count} votes

Accepted answer
  1. PhillipsB 75 Reputation points
    2024-12-17T14:44:30.31+00:00

    Currently, the Microsoft Graph API does not offer a more granular alternative to Application.Read.All for restricting access to only the permissions granted to a specific application. The closest solution available today is filtering results by app ID in your API calls, as you're already doing, but this does not prevent broader access at the permission level.

    Consider assigning a dedicated managed identity or creating a separate app registration for each application. This approach isolates permissions at the app level, minimizing risks of accidental exposure.

    If feasible, you can create a custom API or proxy layer that interacts with Microsoft Graph on behalf of your app. This API can enforce stricter policies, such as ensuring that only data for the specific application is returned.

    Hope it helps


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.