how to restrict Microsoft Graph API permission to one accounts only

delaynomore 6 Reputation points
2020-12-30T07:43:35.96+00:00

hi, experts, i need to write an app using graph api to read emails or a dedicated email address (work or school accounts)

when setting up it on azure portal,I selected Microsoft Graph without user authentication and application permission , I find that it seems it has to been granted with admin consent.

can this be avoided?
I dont want the developer of the app has permission to read bosses' or managemnt boards emails.

how to do ?

ref: https://whatabout.cloud/index.php/2020/08/28/sending-email-with-microsoft-graph-api/
https://whatabout.cloud/index.php/2020/09/03/sending-email-with-microsoft-graph-api-part-2/

Microsoft Graph Security API
Microsoft Graph Security API
A Microsoft API that provides a unified interface to connect security solutions from multiple Microsoft and third-party providers.
155 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla (MSFT) 21,881 Reputation points Microsoft Employee
    2020-12-31T00:09:18.523+00:00

    Hello, when authenticating as an application all messages from all users can be read. This is why application access is considered highly privileged. Granular access rules will have to be implemented in your business or service layer code.

    Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.

    0 comments
  2. Hassan DRAGA 6 Reputation points
    2021-09-01T17:23:37.993+00:00

    It's not possible through the online portal right now, but you can do it using PowerShell.

    • Create a group

    1. Goto portal.office365.com and connect with Admin account
    2. Goto https://admin.exchange.microsoft.com/#/groups and click on tab [Mail-enabled security]
    3. Click on [Add a group]
    4. Select [Mail-enabled security] then click Next
    5. Set a name and click Next
    6. Set group name and select [Approval] which mean (Require owner approval to join the group)
    7. Then Next, then create.

    • Add emails to group

    1. Goto https://admin.exchange.microsoft.com/#/groups and click on tab [Mail-enabled security]
    2. Click on the group and add emails you want to allow APIs to access

    • PowerShell

    1. Run PowerShell
    2. Run: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
    3. Run: Install-Module PowerShellGet -Force
    4. Run: Install-Module -Name ExchangeOnlineManagement -Force
    5. Run: Get-Module ExchangeOnlineManagement
    6. Run: Connect-ExchangeOnline -UserPrincipalName {ADMIN_EMAIL_ADDRESS_HERE}
    7. Sign in as Admin in pop-up window
    8. Run: New-ApplicationAccessPolicy -AppId {APPLICATION_ID_HERE} -PolicyScopeGroupId {GROUP_EMAIL_ADDRESS_HERE} -AccessRight RestrictAccess -Description "YOUR DESCRIPTION HERE."

    • Test

    1. In the same PowerShell..
    2. Run: Test-ApplicationAccessPolicy -Identity {AN_EMAIL_ADDRESS_HERE} -AppId {APPLICATION_ID_HERE}
    3. See AccessCheckResult, should be Granted or Denied
    0 comments