Forum Discussion
Excessive privileges needed for graph. Is there any reassurance for internal security?
Our Enterprise security will not allow Graph as it requires too many consents. Whilst activity will be limited to the users authority our security people argue that the App has been consented to ...
Which app is that exactly? There is no single "Graph" app that will request consent to everything, even the Graph explorer only covers some (delegate) permissions. Applications will only request specific permissions/scopes, the more sensitive of which will require admin consent. Your organization can configure which scopes are considered "low impact" and so on: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classifications?tabs=azure-portal
For some workloads, you also have the option to limit the scope of the permissions granted via Graph to specific objects only, here's for example how it works for ExO: https://practical365.com/application-access-policies-in-exchange-online/
For some workloads, you also have the option to limit the scope of the permissions granted via Graph to specific objects only, here's for example how it works for ExO: https://practical365.com/application-access-policies-in-exchange-online/