Restricting Groups that are shared with apps

Hi, I am authorizing some app providers to access my school data via SDS. But I do not need to share all my groups with them, I only want to share the groups that are required to use the particu...

education

office 365

School Data Sync

Student Information System

Anonymous

Oct 26, 2017

The way School Data Sync is architected, once the data from your SIS is added to the information about the user / groups created in Azure Active Directory (AAD), then that information is there and available to the apps that you allow to access AAD. There is currently no provision for only giving apps access to certain parts of AAD, or certain information in AAD.

For most scenarios, the main concern is you don't want user or group information exposed to the users of the apps using the data. That is, the app itself can be trusted, but you might not want the users of that app to have information about the users or the groups in AAD. The groups SDS creates in AAD are private, so as long as the app is using the SSO APIs, then users of that app would only be able to see / participate in the groups to which they belong, and not other private groups.

I hope this helps,

Matt McGinnis

Anonymous

Oct 26, 2017

One more point to add:

While it is "all or noting" accessing groups in Azure Active Directory & Office Graph, there are permissions you can restrict that are documented here.

https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference

Hopefully this will add additional detail useful to you.

Thanks,

Matt

Forum Discussion

Restricting Groups that are shared with apps

Resources