question

KyleBarr-8515 avatar image
KyleBarr-8515 asked ·

Granting API access to specific users

Our organization has a couple dozen special email accounts (Exchange). No users manually sign into them, but we have a native app that manages the accounts automatically.

I've registered the app in Azure, but I'm having trouble deciding which route to go with the permissions. Delegated permissions doesn't feel right because users never manually sign into these accounts. The app has the account credentials so it could log in, but I don't think there's a way for it to accept permissions like that. Application permissions feels like overkill, and likely a security issue to grant the app access to so many users it doesn't need.

Is there a way to automatically grant permission to a small set of users? Either individually, or by putting them in a group and granting permissions to that group?

Thanks.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
michev answered ·

Depends on what the app is supposed to do. If accessing/managing mail items and such, the Graph API can be a good match and you can restrain the permissions to specific mailboxes via application access policies: https://practical365.com/exchange-online/application-access-policies-in-exchange-online/

EWS is another option, but if you are going to use it in the application permissions model, it cannot be scoped. You can however create a separate account just for said app to use, and limit its permissions. If the app needs to also perform management tasks, the Graph API currently doesn't cover a thing, so you'll have to use PowerShell and limit it via management scopes and such.

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
amanpreetsingh-msft answered ·

Hi @KyleBarr-8515, You can choose to go with delegated or application permissions based on how the application is going to access the resources.

Delegated permissions should be used when you want the application to perform certain actions on behalf of a user. For example, allow application to access directory data as signed in user.

Application permissions should be used when there is no user involved in the process. In case the application authenticates using client_credentials flow and gets a token issued to the application itself. In this case application will access directory data in it own context and not on behalf of a user.

Is there a way to automatically grant permission to a small set of users?
This is possible if each use in that specific set provides consent to the application to access resources on their behalf or an admin adds the specific set of users to a specific directory role. You cannot provide admin consent to grant permissions to a specific set of users. Admin consent grants approved access for all users in the tenant.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.