how to restrict Microsoft Graph API permission to one accounts only

delaynomore 6 Reputation points

hi, experts, i need to write an app using graph api to read emails or a dedicated email address (work or school accounts)

when setting up it on azure portal,I selected Microsoft Graph without user authentication and application permission , I find that it seems it has to been granted with admin consent.

can this be avoided?
I dont want the developer of the app has permission to read bosses' or managemnt boards emails.

how to do ?


Microsoft Graph Security API
Microsoft Graph Security API
A Microsoft API that provides a unified interface to connect security solutions from multiple Microsoft and third-party providers.
155 questions
{count} vote

2 answers

Sort by: Most helpful
  1. Alfredo Revilla (MSFT) 21,881 Reputation points Microsoft Employee

    Hello, when authenticating as an application all messages from all users can be read. This is why application access is considered highly privileged. Granular access rules will have to be implemented in your business or service layer code.

    Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.

    0 comments No comments

  2. Hassan DRAGA 6 Reputation points

    It's not possible through the online portal right now, but you can do it using PowerShell.

    • Create a group

    1. Goto and connect with Admin account
    2. Goto and click on tab [Mail-enabled security]
    3. Click on [Add a group]
    4. Select [Mail-enabled security] then click Next
    5. Set a name and click Next
    6. Set group name and select [Approval] which mean (Require owner approval to join the group)
    7. Then Next, then create.

    • Add emails to group

    1. Goto and click on tab [Mail-enabled security]
    2. Click on the group and add emails you want to allow APIs to access

    • PowerShell

    1. Run PowerShell
    2. Run: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
    3. Run: Install-Module PowerShellGet -Force
    4. Run: Install-Module -Name ExchangeOnlineManagement -Force
    5. Run: Get-Module ExchangeOnlineManagement
    6. Run: Connect-ExchangeOnline -UserPrincipalName {ADMIN_EMAIL_ADDRESS_HERE}
    7. Sign in as Admin in pop-up window
    8. Run: New-ApplicationAccessPolicy -AppId {APPLICATION_ID_HERE} -PolicyScopeGroupId {GROUP_EMAIL_ADDRESS_HERE} -AccessRight RestrictAccess -Description "YOUR DESCRIPTION HERE."

    • Test

    1. In the same PowerShell..
    2. Run: Test-ApplicationAccessPolicy -Identity {AN_EMAIL_ADDRESS_HERE} -AppId {APPLICATION_ID_HERE}
    3. See AccessCheckResult, should be Granted or Denied
    0 comments No comments