Azure AD Enterprise app should not see all my users/groups. How?

Question

Azure AD Enterprise app should not see all my users/groups. How?

Vic Kot 21

I have granted admin access for enterprise app (using "Grant permissions to an application" like described here https://learn.microsoft.com/en-us/graph/security-authorization#grant-permissions-to-an-application ). So now this app has access to all my groups and users, because of permissions like "Group.Read.All" and "User.Read.All". Is it possible somehow to limit this access for app, so this app will get a limited list of users/groups? I mean if app will request graph api like "/users" or "/groups" - there will be only those items that I want.

Answer 1

Vasil Michev 71,221 MVP

No, it can access all the groups and there's no way to restrict it. Only Exchange Online currently offers some controls, as detailed here: https://practical365.com/exchange-online/application-access-policies-in-exchange-online/
For all the other workloads, access cannot be restricted, although supposedly Microsoft is working on bringing additional controls.

Vic Kot 21 Reputation points

2020-04-24T10:36:34.29+00:00

Thank you for your reply! And there is no way to do it on this Enterprise app side? Use different permissions or some different approach? I have access to this app, so I can configure it. I found that there is a permission like "Group.Selected" https://learn.microsoft.com/en-us/graph/permissions-reference#application-permissions-18 but it said that I shouldn't use it.
Vasil Michev 71,221 Reputation points MVP

2020-04-24T10:49:49.103+00:00

I mentioned above that MS is working on something is this area, however it's not released yet. There are no controls currently for this scenario.

Azure AD Enterprise app should not see all my users/groups. How?

0 additional answers

Activity