Forum Discussion
Is it possible to limit the search possibilities on Graph API
Hi, If I give permission to application, outside of our tenant, to run graph queries against our tenant. Then the next obvious question is: how to limit what the application can search from out tena...
It depends. If the application requires Delegate permissions, it will only be able to access what the user who consented to it can. If the application uses App permissions, in most cases it gets unrestricted access to the entire tenant. You cannot scope it to individual attributes, it will be able to query everything allowed by the permission/scope. You cannot scope it to specific users/objects either.
That said, there are some workload-level controls you can use, though they only apply to objects from said workload. In Exchange, this is the application access policy control: https://practical365.com/application-access-policies-in-exchange-online/
Teams has Resource-specific consents: https://docs.microsoft.com/en-us/microsoftteams/platform/graph-api/rsc/resource-specific-consent
Controls for SPO/ODFB are still in preview/design.
That said, there are some workload-level controls you can use, though they only apply to objects from said workload. In Exchange, this is the application access policy control: https://practical365.com/application-access-policies-in-exchange-online/
Teams has Resource-specific consents: https://docs.microsoft.com/en-us/microsoftteams/platform/graph-api/rsc/resource-specific-consent
Controls for SPO/ODFB are still in preview/design.