This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 5%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVL%3C/text%3E%3C/svg%3E)
Hey Msft,
GRAPH API is very helpful and powerful to return the information. As you know there are two moded on it as mentione here :
https://learn.microsoft.com/en-us/graph/auth/auth-concepts
App and delegated access.
For our recurring use cases we need App Access ( as no user auth is needed) and the permissions can be restricted via scopes as well.
However the issue is when an App is given one scope permission let say User.Read or Mail.ReadBasic.All or anything, the "App" which is granted this scope gets the ability to perform operation for that scope with ALL users/objects in Azure Tenancy.
For example If there are 100K users in that tenancy app can read ( for the scopes granted) for all users , but from a bussiness function may this is only needed for 5K users, app has no need to excessive access to read that for remaining 95K users.
Is there a way to restrict this ? This seems way to excessive in terms of permissions.
Thanks,
VIkram
Hi @Vikram Lamba , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?
Thank you,
James
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 20%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELH%3C/text%3E%3C/svg%3E)
@James Hamil --Can you share any further info on "scoped access" and how it can limit what graph API can do? A challenge we are working is limiting the scope for read/write access on Azure AD to a specific set of subscriptions. The graph API as I understand it can still access the entire user list in the AD and cannot be limited to users in the specific subscriptions we want scoped.
Luke
Hi @Vikram Lamba You can restrict the access of an app with application permissions by using scoped access. However, Microsoft Graph API does not provide a direct way to restrict access to a specific set of users through the Azure portal. One possible solution is to implement additional logic in your application to filter the users based on your business requirements. This way, even though the app has access to all users, it will only process the data for the users you specify.
Another approach is to use delegated permissions instead of application permissions. Delegated permissions allow your app to perform operations on behalf of the logged-in user, and you can control which users have access to your app. However, this method requires user authentication and may not be suitable for your use case if you need app-only access without user interaction. Hope this helps!
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James
Hey James
Thanks for the response.
Solution one is not helpful, as in some cases the app can be external ( to orgnisation) and it does not always know the set of users , and to alwas keep updated of the news users that joins the organisation is a continous feed to this external app .
And for an external app the control is at their side and then whose tenanncy it is.
Second as you said is not feasible as we dont want delegated access
Is there a feature or change request to implement this in future?
Thanks,
VIkram
Hi @Vikram Lamba , sorry for the delay in response. Unfortunately currently there are no plans to change this. One possible solution is to implement additional logic in your application to filter the users based on your business requirements. This way, even though the app has access to all users, it will only process the data for the users you specify. But I'm not sure if that's what you're looking for. If you feel strongly about this please submit a feature request here that we can track. Let me know if you have any other questions!
Best,
James
Hello @Vikram Lamba , let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.