Limit permissions to update a single Azure AD group via API

Pascal Frencken 6 Reputation points
2022-06-28T07:10:51.893+00:00

We have a requirement where we want to use an automation to add users to a specific group in Azure AD via API calls. Our security policies require us to apply the principle of least privilege when doing this, meaning that we should only provide permissions to update that specific group in AAD.

When configuring the application in Azure and requesting the API permissions, there's only the possibility to add Group.ReadWrite.All and GroupMember.ReadWrite.All permissions, but no way to limit this to a specific group only.

Is there a way to setup permissions to allow an automation access to a single group in Azure AD only via API calls?

Best regards,
Pascal Frencken
Signify

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,541 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,497 questions
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. Fraczek, Rafal SW/WRO-DCDZA 201 Reputation points
    2024-07-11T06:40:45.1566667+00:00

    Maybe this time answer will not be deleted :D

    One of the options is to set the Service Principal as the Owner of required groups that SP should be able to manage. The fact that SP will be the owner of the group gives him the ability to add and remove users and owners from them. With this setting, the application does not need to have any API permissions to manage groups Group.ReadWrite.All or Group.Read.All. Being the owner of restricted number of groups, allow SP only to read/change those groups and for others where SP is not an owner we will have error 403 Forbidden access.

    Additional option is to create Administrative Unit and add required groups to it. Then create new Custom Role with permission to read or update members as required for example microsoft.directory/groups.security.assignedMembership/members/update

    Then in Administrative Unit we need to navigate to 'Roles and administrators' select our new Custom role and as member add Service Principal which should have the rights to manage this AU (so also manage groups assigned to it, as AU will be selected in Scope during assignment). (side not as for now we need to assign new Custom role from AU, not from Role view as selection of AU is not available in Scope during role assignment).

    2 people found this answer helpful.

  2. ShivaniRai-MSFT-7217 2,741 Reputation points
    2022-06-28T11:51:35.187+00:00

    Hi @Pascal Frencken ,

    Currently most of the Graph permissions are tenant-wide, without a way to restrict them for a specific group. Group.ReadWrite.All and GroupMember.ReadWrite.All give access to all the groups at Application level.

    Similar Post: https://learn.microsoft.com/en-us/answers/questions/466029/microsoft-graph-permissions-to-only-access-specifi.html

    You can submit a feature request idea which will be monitored by Microsoft team and make the enhancements to Microsoft Graph APIs.

    Hope this helps.
    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments No comments

  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.