Forum Discussion
Control what the user can give consent to
O365 and OAuth2 allows users to give 3rd party apps consent to access data on behalf of the user.
Is there any way we can limit the "scope" of consent the user allow ?
Since we are in the EU, and thus hit by GDPR, and we consider e-mails as containing personal data, then we can not legally allow 3rd parties access to users e-mail without a data processor agreement, risk assessment etc in place. The 3rd party would process data.
We can get the granted permissions on a per user basis, and do our own reporting and followup. But it would be better to say users can NOT give 3rd party apps any sort of e-mail, calendar and Contacts (that is by definition personal data) permission.
We can disallow all 3rd party apps altogether, by tuning integrated Apps off. But we still would allow the user to grant simple consent like: "openid profile email", "User.Read openid email profile offline_access" or "User.Read"
So one thing you can do currently is enforce app permission policies so that by default apps can only get access to some mailboxes: https://practical365.com/exchange-online/application-access-policies-in-exchange-online/
You cannot go more granular on the actual app permissions though, so it's either that or disable them altogether. But they did announce that they are working on a "consent" role for Azure AD, which should eventually be able to allow you to delegate permissions to consent, ideally for specific scopes/permissions only. No ETA on that though.