Is it possible to limit the search possibilities on Graph API

%3CLINGO-SUB%20id%3D%22lingo-sub-2274250%22%20slang%3D%22en-US%22%3EIs%20it%20possible%20to%20limit%20the%20search%20possibilities%20on%20Graph%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2274250%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EIf%20I%20give%20permission%20to%20application%2C%20outside%20of%20our%20tenant%2C%20to%20run%20graph%20queries%20against%20our%20tenant.%20Then%20the%20next%20obvious%20question%20is%3A%20how%20to%20limit%20what%20the%20application%20can%20search%20from%20out%20tenant%3F%20I%20would%20like%20to%20limit%20for%20example%3A%3C%2FP%3E%3CP%3E-%20the%20attributes%20to%20be%20available%20only%20from%20the%20selected%20objects%2C%20if%20application%20need%20to%20see%20name%20and%20phone%20number%2C%20then%20why%20it%20should%20be%20able%20to%20list%20email%20addresses%20e.g.%3C%2FP%3E%3CP%3E-%20the%20users%20to%20be%20seen%2C%20based%20on%20our%20own%20criteria's.%20If%20application%20is%20need%20users%20only%20from%20Finland%2C%20then%20why%20to%20let%20it%20search%20all%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBased%20on%20the%20object%20type%20in%20my%20mind%20it%20is%20possible%20to%20do%20already.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2274250%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPI%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eoffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Super Contributor

Hi,

If I give permission to application, outside of our tenant, to run graph queries against our tenant. Then the next obvious question is: how to limit what the application can search from out tenant? I would like to limit for example:

- the attributes to be available only from the selected objects, if application need to see name and phone number, then why it should be able to list email addresses e.g.

- the users to be seen, based on our own criteria's. If application is need users only from Finland, then why to let it search all users.

 

Based on the object type in my mind it is possible to do already.

1 Reply
It depends. If the application requires Delegate permissions, it will only be able to access what the user who consented to it can. If the application uses App permissions, in most cases it gets unrestricted access to the entire tenant. You cannot scope it to individual attributes, it will be able to query everything allowed by the permission/scope. You cannot scope it to specific users/objects either.

That said, there are some workload-level controls you can use, though they only apply to objects from said workload. In Exchange, this is the application access policy control: https://practical365.com/application-access-policies-in-exchange-online/
Teams has Resource-specific consents: https://docs.microsoft.com/en-us/microsoftteams/platform/graph-api/rsc/resource-specific-consent
Controls for SPO/ODFB are still in preview/design.