Hello
I want to start allowing Admins to use "Microsoft Graph PowerShell" however i have concerns when it comes to Exchange online and sharepoint online. How can i block or prevent admin's from using "Microsoft Graph PowerShell" to add permissions to Exchange and Sharepoint online ?
Just checking in to see if above information was helpful.
Please let us know if you would like further assistance.
Which admins are you referring to? What roles? If they are admins with those rights, you can't prevent that. Its no different than having that ability with Powershell or via the GUI.
I understand. I was hoping i could prevent the following permissions, but it sounds like thats not possible. These would be users in the GA role. My understanding is Microsoft doesn't recommend adding the permissions that are in the screen shot to manage sharepoint and exchange online. What are your thoughts on this ?
Well, those are all delegated perms. so in that case, it would allow the user to access mailboxes they all ready have access to.
You would generally use "Application" perms and then in that case, you can limit the mailbox access the app has using an access policy
https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access
32 people are following this question.
