how to restrict Microsoft Graph API permission to one accounts only

delaynomore 6 Reputation points
2020-12-30T07:43:35.96+00:00

hi, experts, i need to write an app using graph api to read emails or a dedicated email address (work or school accounts)

when setting up it on azure portal,I selected Microsoft Graph without user authentication and application permission , I find that it seems it has to been granted with admin consent.

can this be avoided?
I dont want the developer of the app has permission to read bosses' or managemnt boards emails.

how to do ?

ref: https://whatabout.cloud/index.php/2020/08/28/sending-email-with-microsoft-graph-api/
https://whatabout.cloud/index.php/2020/09/03/sending-email-with-microsoft-graph-api-part-2/

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,530 questions
{count} vote

2 answers

Sort by: Most helpful
  1. 2020-12-31T00:09:18.523+00:00

    Hello, when authenticating as an application all messages from all users can be read. This is why application access is considered highly privileged. Granular access rules will have to be implemented in your business or service layer code.

    Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.

    0 comments No comments

  2. Hassan DRAGA 11 Reputation points
    2021-09-01T17:23:37.993+00:00

    It's not possible through the online portal right now, but you can do it using PowerShell.

    • Create a group

    1. Goto portal.office365.com and connect with Admin account
    2. Goto https://admin.exchange.microsoft.com/#/groups and click on tab [Mail-enabled security]
    3. Click on [Add a group]
    4. Select [Mail-enabled security] then click Next
    5. Set a name and click Next
    6. Set group name and select [Approval] which mean (Require owner approval to join the group)
    7. Then Next, then create.

    • Add emails to group

    1. Goto https://admin.exchange.microsoft.com/#/groups and click on tab [Mail-enabled security]
    2. Click on the group and add emails you want to allow APIs to access

    • PowerShell

    1. Run PowerShell
    2. Run: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
    3. Run: Install-Module PowerShellGet -Force
    4. Run: Install-Module -Name ExchangeOnlineManagement -Force
    5. Run: Get-Module ExchangeOnlineManagement
    6. Run: Connect-ExchangeOnline -UserPrincipalName {ADMIN_EMAIL_ADDRESS_HERE}
    7. Sign in as Admin in pop-up window
    8. Run: New-ApplicationAccessPolicy -AppId {APPLICATION_ID_HERE} -PolicyScopeGroupId {GROUP_EMAIL_ADDRESS_HERE} -AccessRight RestrictAccess -Description "YOUR DESCRIPTION HERE."

    • Test

    1. In the same PowerShell..
    2. Run: Test-ApplicationAccessPolicy -Identity {AN_EMAIL_ADDRESS_HERE} -AppId {APPLICATION_ID_HERE}
    3. See AccessCheckResult, should be Granted or Denied
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.