question

RonA avatar image
0 Votes"
RonA asked ·

Azure AD: limit an enterprise app to only access a group of users OneDrive and a group of sharepoint sites?

For an enterprise app, is there a way to limit the application to only access OneDrives for users belonging in a group?

Similarly, can the same be done to limit the app to access a specific set of SharePoint sites?

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
1 Vote"
soumi-MSFT answered ·

@RonA-0481, Ideally when you register any application in AAD, a corresponding entry for that same application also gets created in Enterprise Application section of AAD, which is ideally the service principal object of that application that gets registered under Enterprise Apps. On this Service Principal Object for an application, you can assign users and groups, and users who are added into those groups or into the section "Users and Groups" would only be able to access that application. Please refer to the screenshot below:

8898-usersgroups.png

Also, inorder to only restrict the assigned users to access that application the following option should also be set to "Yes".

8868-usergroups1.png

Also, for first party apps like OneDrive, SharePoint Online, Exchange Online etc, you can also provide access to only certain set of users or certain groups, but applying Conditional Access Policy on them for those specific applications.

Secondly, to limit an application to access specific SharePoint sites, It again as to be done using the Conditional Access Policies. You can read more on CA policies here.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.


usersgroups.png (36.8 KiB)
usergroups1.png (91.0 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RonA avatar image
0 Votes"
RonA answered ·

@soumi-MSFT Thank you for your response.

There's one detail that I did not mention yet. That is the enterprise application was installed giving admin consent on behalf of the organization. The enterprise application is already restricted to a service account as you described in your screenshots.

The use of the service account with admin consent was granted by our governance team (as global admin role will not be assigned). So we would also like to further restrict which users OneDrive and SharePoint sites can be accessed when the enterprise application is authorized with the service account.




· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
1 Vote"
michev answered ·

No, it cannot. Exchange is currently the only workflow that supports restricting application permissions on a per-resource basis (mailboxes in this case). Teams has the resource-specific consent model, which approaches this from the opposite end - granting team owners the ability to consent to a given app. But when it comes to limiting SPO/ODFB access, application permissions are "all or nothing" scenario.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.