question

VicKot-7848 avatar image
VicKot-7848 asked ·

Azure AD Enterprise app should not see all my users/groups. How?

I have granted admin access for enterprise app (using "Grant permissions to an application" like described here https://docs.microsoft.com/en-us/graph/security-authorization#grant-permissions-to-an-application ). So now this app has access to all my groups and users, because of permissions like "Group.Read.All" and "User.Read.All". Is it possible somehow to limit this access for app, so this app will get a limited list of users/groups? I mean if app will request graph api like "/users" or "/groups" - there will be only those items that I want.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

michev avatar image
michev answered ·

No, it can access all the groups and there's no way to restrict it. Only Exchange Online currently offers some controls, as detailed here: https://practical365.com/exchange-online/application-access-policies-in-exchange-online/
For all the other workloads, access cannot be restricted, although supposedly Microsoft is working on bringing additional controls.

2 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your reply! And there is no way to do it on this Enterprise app side? Use different permissions or some different approach? I have access to this app, so I can configure it. I found that there is a permission like "Group.Selected" https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-18 but it said that I shouldn't use it.

0 Votes 0 · ·

I mentioned above that MS is working on something is this area, however it's not released yet. There are no controls currently for this scenario.

1 Vote 1 · ·