Limit permissions to update a single Azure AD group via API

Pascal Frencken 6 Reputation points

We have a requirement where we want to use an automation to add users to a specific group in Azure AD via API calls. Our security policies require us to apply the principle of least privilege when doing this, meaning that we should only provide permissions to update that specific group in AAD.

When configuring the application in Azure and requesting the API permissions, there's only the possibility to add Group.ReadWrite.All and GroupMember.ReadWrite.All permissions, but no way to limit this to a specific group only.

Is there a way to setup permissions to allow an automation access to a single group in Azure AD only via API calls?

Best regards,
Pascal Frencken

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,034 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,708 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. ShivaniRai-MSFT 2,726 Reputation points

    Hi @Pascal Frencken ,

    Currently most of the Graph permissions are tenant-wide, without a way to restrict them for a specific group. Group.ReadWrite.All and GroupMember.ReadWrite.All give access to all the groups at Application level.

    Similar Post:

    You can submit a feature request idea which will be monitored by Microsoft team and make the enhancements to Microsoft Graph APIs.

    Hope this helps.
    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments No comments