If I give permission to application, outside of our tenant, to run graph queries against our tenant. Then the next obvious question is: how to limit what the application can search from out tenant? I would like to limit for example:
- the attributes to be available only from the selected objects, if application need to see name and phone number, then why it should be able to list email addresses e.g.
- the users to be seen, based on our own criteria's. If application is need users only from Finland, then why to let it search all users.
Based on the object type in my mind it is possible to do already.
It depends. If the application requires Delegate permissions, it will only be able to access what the user who consented to it can. If the application uses App permissions, in most cases it gets unrestricted access to the entire tenant. You cannot scope it to individual attributes, it will be able to query everything allowed by the permission/scope. You cannot scope it to specific users/objects either.