Excessive privileges needed for graph. Is there any reassurance for internal security?

%3CLINGO-SUB%20id%3D%22lingo-sub-2792412%22%20slang%3D%22en-US%22%3EExcessive%20privileges%20needed%20for%20graph.%20Is%20there%20any%20reassurance%20for%20internal%20security%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2792412%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20Enterprise%20security%20will%20not%20allow%20Graph%20as%20it%20requires%20too%20many%20consents.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhilst%20activity%20will%20be%20limited%20to%20the%20users%20authority%20our%20security%20people%20argue%20that%20the%20App%20has%20been%20consented%20to%20do%20more.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20they%20can%20be%20reassured%20of%20the%20scope%20of%20Graph%20or%20else%20we%20won't%20be%20able%20to%20use%20it!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20Richard%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2792412%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20Graph%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Our Enterprise security will not allow Graph as it requires too many consents.

 

Whilst activity will be limited to the users authority our security people argue that the App has been consented to do more.

 

Is there a way they can be reassured of the scope of Graph or else we won't be able to use it!

 

Thanks, Richard 

1 Reply
Which app is that exactly? There is no single "Graph" app that will request consent to everything, even the Graph explorer only covers some (delegate) permissions. Applications will only request specific permissions/scopes, the more sensitive of which will require admin consent. Your organization can configure which scopes are considered "low impact" and so on: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classificat...
For some workloads, you also have the option to limit the scope of the permissions granted via Graph to specific objects only, here's for example how it works for ExO: https://practical365.com/application-access-policies-in-exchange-online/