Azure AD Enterprise app should not see all my users/groups. How?

Vic Kot 21 Reputation points
2020-04-24T10:16:40.267+00:00

I have granted admin access for enterprise app (using "Grant permissions to an application" like described here https://learn.microsoft.com/en-us/graph/security-authorization#grant-permissions-to-an-application ). So now this app has access to all my groups and users, because of permissions like "Group.Read.All" and "User.Read.All". Is it possible somehow to limit this access for app, so this app will get a limited list of users/groups? I mean if app will request graph api like "/users" or "/groups" - there will be only those items that I want.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,597 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 100.2K Reputation points MVP
    2020-04-24T10:23:17.237+00:00

    No, it can access all the groups and there's no way to restrict it. Only Exchange Online currently offers some controls, as detailed here: https://practical365.com/exchange-online/application-access-policies-in-exchange-online/
    For all the other workloads, access cannot be restricted, although supposedly Microsoft is working on bringing additional controls.

    3 people found this answer helpful.

0 additional answers

Sort by: Most helpful