How to control the scope of access for the Graph API.

Question

Dear Everyone,

We currently have an issue regarding accessing user emails through the GRAPH API.
After creating an app and granting the permissions shown in the screenshot, we can retrieve the emails and attachments of specific users via the API. However, we found that we can access the emails of all users within the organization. For security reasons, we would like to restrict access to only the emails of specific users we need. Is there a way to impose such restrictions?

How to restrict access to the GRAPH API so that it can only access the email information of specific users within an organization, not all users.

Thank you very much in advance.

BR
Leo

Answer 1

Yes, follow this doc:

https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac

Essentially, you are going to create an Exchange Service Principal.(This points to the service principal in Entra)

Then create the recipient scope. ( This is the mailboxes or groups you want to restrict the service principal access to)

Then you assign that recipient scope and the allowed roles to the service principal.

Answer 2

permissions as below

Mail.Read	Application	Read mail in all mailboxes	Yes
Mail.Read	Application	Read mail in all mailboxes	Yes
Mail.ReadBasic	Application	Read basic mail in all mailboxes	Yes
Mail.ReadBasic.All	Application	Read basic mail in all mailboxes	Yes
Mail.ReadWrite	Application	Read and write mail in all mailboxes	Yes
Mail.Send	Application	Send mail as any user	Yes
User.Read	Delegated	Sign in and read user profile	No