Share via

How to limit Microsoft Graph API Application Permissions to a specific user or security group

Matteo Gentile 0 Reputation points
2026-06-17T16:05:55.6733333+00:00

Dear All

i've created an Entra Registered Apps and give it two Microsoft Graph API Application Permissions (Mail.ReadWrite and Mail.Send). Is it technically possible to limit them only to a specific security group? Could you please support to do it?

Thanks

Regards

Matteo Gentile

Microsoft Security | Microsoft Graph
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 127K Reputation points MVP Volunteer Moderator
    2026-06-17T16:11:15.98+00:00

    General answer - it depends on the permission. By design, Graph permissions are resource-wide, i.e. User.Read.All will cover any and all users within the directory.

    Some workloads, such as Exchange Online do provide their own controls to scope such broad permissions. So for your specific scenario, the answer is YES - you can restrict both Mail.ReadWrite and Mail.Send to specific users (or members of specific groups). The best way to do so is by leveraging the RBAC for applications functionality, as detailed here: https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac

    The application access policies referenced by our lovely AI assistant can also work, but they are older functionality and Microsoft is no longer investing in them. Thus, RBAC for applications is preferred.

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-06-17T16:06:09.0233333+00:00

    Yes. Application permissions like Mail.ReadWrite and Mail.Send can be limited to specific mailboxes by using Microsoft Graph application access policies; user or group scoping is done at the resource (Exchange Online) level, not directly on the permission itself.

    For mail-related Microsoft Graph application permissions (Mail.Read, Mail.ReadWrite, Mail.Send, MailboxSettings.Read, MailboxSettings.ReadWrite), administrators can configure an application access policy so the app can only access mailboxes for a specific user or for members of a specific security group, even though the app technically has org-wide application permissions.

    Key points from the documentation:

    • Mail.Read, Mail.ReadWrite, Mail.Send, and MailboxSettings.ReadWrite application permissions are, by default, org-wide.
    • Administrators can configure an application access policy to limit app access to specific mailboxes and not to all mailboxes in the organization, even if the app has been granted these application permissions.
    • This mechanism is supported for:
      • Mail.Read
      • Mail.ReadWrite
      • Mail.Send
      • MailboxSettings.Read
      • MailboxSettings.ReadWrite

    So, to limit your app that has Mail.ReadWrite and Mail.Send application permissions to a specific security group:

    1. Ensure the app has been granted the required application permissions (Mail.ReadWrite, Mail.Send) with admin consent.
    2. Create a security group and add the allowed users’ mailboxes as members.
    3. Configure an application access policy in Exchange Online that:
      • Targets your app registration (by its app ID), and
      • Restricts access to the mailboxes of the members of that security group.

    After the policy is applied, Microsoft Graph calls using those application permissions will only succeed for mailboxes in that group; access to other mailboxes will be blocked, even though the app holds org-wide application permissions at the directory level.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.