Reputation: 1108
Limit access to groups or individual mailboxes using a service application in Azure Ad
I have an Azure integrated service application (daemon app) with permissions to the Microsoft graph api, I can now read all the mailboxes for the entire company, which is awesome but might raise some concerns with the business management. We use Outlook in Office 365.Is there a way to specify mailboxes that the app can have access to instead of having access to all mailboxes/users.
Upvotes: 3
Views: 1863
Answers (2)
Reputation: 51
This Microsoft doc appears to give the answer Scoping application permissions to specific Exchange Online mailboxes https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access
Administrators who want to limit the app access to a specific set of mailboxes can use the New-ApplicationAccessPolicy PowerShell cmdlet to configure access control. This article covers the basic steps to configure an application access policy.
Upvotes: 5
Reputation: 14649
The daemon app which use the client credential to acquire the access token.
The client credential flow is used to as an authorization grant typically when the client is acting on its own behalf. And it is not able to specify mailboxes that the app can have access.
You can achieve this by implement the business logic in the daemon app.
Upvotes: 1
Related Questions
- Microsoft Graph Outlook application permissions for a particular mailbox only
- Restrict access to AD application, using AD group via Azure Portal
- How to restrict mailbox access for office 365 app
- Microsoft GRAPH api - restrict user access
- Is there any way to restrict app-only permission for Graph API in Azure AD to a certain group of people?
- How to restrict mailbox access in azure active directory application
- Scopes to query group mailbox via Microsoft Graph
- Can I grant limited mailbox access to an app-only application?
- Restrict Microsoft app access to MS Graph emails for a single user
- Create a mail enabled security group with graph api