Scope azure app graph permissions to a group to enable/prevent access to group members content

Scope azure app graph permissions to a group to enable/prevent access to group members content
5

Upvotes

Upvote

 Nov 15 2022
2 Comments (2 New)
New

We collect Teams data through the graph Export API on behalf of our costumers using the security and compliance workflows. Generally, only a small subset of users are targeted for collection. Customers do not want to grant access to all users data if they only require the collection of some. The permissions required for use of the Export API and other Teams API's within graph grant access to all users in the environment. We prefer to have least privileged access necessary to perform the collection. Right now, the only levels of privilege are full access and no access.

 

Can you add the ability to scope access on the app registration to prevent/allow this app from accessing the scoped users/groups data?

Comments
Occasional Visitor

Ideally scoping of Azure Application permissions for groups/individuals would be supported for not just Teams, but for all accessible data in M365/G365 (e.g. Outlook mailboxes, OneDrive/SharePoint)

Occasional Visitor

We have been searching for an access control framework to solve this problem for going on 2 years now.  Entitlement Management was brought up by one Microsoft Partner but that doesn't appear to completely solve the problem.  We have yet to find any resources at Microsoft who can provide a path to a solution.