Graph API permissions restriction

Occasional Visitor

Hello

 

External website requires the need to read group members from Azure AD for login.

Under Azure AD -> App registrations -> AppName  -> API permissions  i have given Directory.ReadAll.

 

Under Enterprise applications -> AppName -> User and groups  i have set 3 groups that can use the application.

 

How do i limit in API permissions how much the app can read, cause it doesnt actually need Directory.ReadAll but only ReadAll to 3 specific groups that it has users in.

1 Reply
By default, Graph API permissions are tenant-wide. If you are using the delegate permissions model, they can be restricted by the permission given to the user you're currently running with, and you can also use administrative units to scope them down to just select objects: https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units

If you are using the application permissions model, there is no way to restrict access currently. Assigning groups under the application properties is a different functionality, won't help you here.