cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Graph API permissions restriction

Indrek1
Copper Contributor

‎Oct 25 2022 12:01 AM

‎Oct 25 2022 12:01 AM

Graph API permissions restriction

Hello

 

External website requires the need to read group members from Azure AD for login.

Under Azure AD -> App registrations -> AppName  -> API permissions  i have given Directory.ReadAll.

 

Under Enterprise applications -> AppName -> User and groups  i have set 3 groups that can use the application.

 

How do i limit in API permissions how much the app can read, cause it doesnt actually need Directory.ReadAll but only ReadAll to 3 specific groups that it has users in.

868 Views
0 Likes
1 Reply
Reply
1 Reply
Vasil Michev

‎Oct 25 2022 12:50 AM

‎Oct 25 2022 12:50 AM

Re: Graph API permissions restriction

By default, Graph API permissions are tenant-wide. If you are using the delegate permissions model, they can be restricted by the permission given to the user you're currently running with, and you can also use administrative units to scope them down to just select objects: https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units

If you are using the application permissions model, there is no way to restrict access currently. Assigning groups under the application properties is a different functionality, won't help you here.
0 Likes
Reply