Restricting Groups that are shared with apps

Copper Contributor

Hi, 

 

I am authorizing some app providers to access my school data via SDS. But I do not need to share all my groups with them, I only want to share the groups that are required to use the particular app. 

How is it possible for me to perform this kind of limitation when I am sharing my section/group data with app partners. Can I have some steps to follow to perform this?

 

Thanks

J.

3 Replies

The way School Data Sync is architected, once the data from your SIS is added to the information about the user / groups created in Azure Active Directory (AAD), then that information is there and available to the apps that you allow to access AAD.  There is currently no provision for only giving apps access to certain parts of AAD, or certain information in AAD.

For most scenarios, the main concern is you don't want user or group information exposed to the users of the apps using the data.  That is, the app itself can be trusted, but you might not want the users of that app to have information about the users or the groups in AAD.  The groups SDS creates in AAD are private, so as long as the app is using the SSO APIs, then users of that app would only be able to see / participate in the groups to which they belong, and not other private groups.  

 

I hope this helps,

 

Matt McGinnis

One more point to add:

While it is "all or noting" accessing groups in Azure Active Directory & Office Graph, there are permissions you can restrict that are documented here.

https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference

 

Hopefully this will add additional detail useful to you.

 

Thanks,

 

Matt

Thanks Matt for the reply.

 

Unfortunately, this is not going to help in our scenario. Yes, we have restricted what the app can access in our AAD data but we also want to limit the number of users in our side accessing the app for licensing (and other) reasons. 

For example, if we have 2 groups with 5 users each and we have only 5 licenses for the app in question, we are thinking if we can allow the 5 users who have licenses be in one group and then share only that group information to be available for that particular app.

 

Is there a way that we can identify the groups to the app via a custom property or a tag, so that we can discuss how we can specify a way the app can identify a group that is meant for them and to ignore any groups without the said tag?