Share via

How can I limit an application access to view only a subset of the users in Microsoft Graph API, MS Teams endpints?

Noga Malach 20 Reputation points
2025-02-13T12:55:02.2133333+00:00

What are the methods to restrict an application, that is using the Microsoft Graph API to fetch users conversations, access so that it can only view data of Microsoft Teams endpoints for a specific subset of users, ?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
1,014 questions
Microsoft Security Microsoft Graph
Microsoft Teams Microsoft Teams for business Other
0 comments
Accepted answer
  1. Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
    2025-02-13T17:05:51.9633333+00:00

    No. Most Graph permissions provide unscoped access to the corresponding object types. I.e. User.Read.All allows you to read the properties of all users objects. There are some workload-specific functionalities that allow you to restrict this, such as Application access policies/RBAC for Applications for Exchange, or the Sites.Selected scope for SharePoint Online. But nothing on directory objects.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rajat Vashistha-MSFT 1,690 Reputation points Microsoft External Staff
    2025-02-13T17:12:52.7266667+00:00

    Hi Noga Malach,

    Thank you for reaching out to Microsoft!

    At present, there's no method to restrict an application's access to view only a subset of users within Microsoft Graph API related to MS Teams endpoints.

    However, we do offer this capability for:

    Since this feature/functionality is presently not available, you can submit a feature request idea using support link, which will be monitored by Microsoft team and make the enhancements to Microsoft Graph APIs.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments
  2. GUILLOUX Patrice 0 Reputation points
    2025-03-25T08:05:27.81+00:00

    Hi, in pour company, we encounter this problem lot of time around priviledge application MS Graph permissions Without scoping capabilities so our only capability is to not integrate such applications that need this kind of APPLICATION Microsoft Graph permissions so it is today a very big problem to integrate applications from third party editors and it's more and more a brake in adoption - So i wonder if creating a specific Entra ID custom role with only Microsoft.directory/Users/***/read permissions type assigned to a specific Administrative Units could be an alternative in this case ?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.