This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 82%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Hello
I want to start allowing Admins to use "Microsoft Graph PowerShell" however i have concerns when it comes to Exchange online and sharepoint online. How can i block or prevent admin's from using "Microsoft Graph PowerShell" to add permissions to Exchange and Sharepoint online ?
The process of building custom applications and tools that interact with Microsoft Exchange Server
An API that connects multiple Microsoft services, enabling data access and automation across platforms
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Just checking in to see if above information was helpful.
Please let us know if you would like further assistance.
Well, those are all delegated perms. so in that case, it would allow the user to access mailboxes they all ready have access to.
You would generally use "Application" perms and then in that case, you can limit the mailbox access the app has using an access policy
https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access
Which admins are you referring to? What roles? If they are admins with those rights, you can't prevent that. Its no different than having that ability with Powershell or via the GUI.
I understand. I was hoping i could prevent the following permissions, but it sounds like thats not possible. These would be users in the GA role. My understanding is Microsoft doesn't recommend adding the permissions that are in the screen shot to manage sharepoint and exchange online. What are your thoughts on this ?
