Reputation: 475
Restrict which Users are accessible with Azure AD Permissions
It seems to me that when you give an application Application Level permissions, administrator consented, the application has free reign over every user in the tenant that approved.
I want Mail.Read Mail.ReadWrite Mail.Send permissions in my tenant for my application, but I want to whitelist the Users I can access mail for. Or inversely, I want to blacklist certain sensitive users (Human Resources, C-Level Executives) so that if the application should ever somehow become compromised, it's not able to be exploited to read/write/send mail of those individuals.
Is this possible, somehow?
Upvotes: 0
Views: 62
Answers (1)
Reputation: 58898
Like Wayne Yang said in the comment, this cannot be done basically.
App permissions are always tenant-wide permissions.
If you want to limit them, you must use delegated permissions. This means each user who you want to allow needs to login, and then your app can get a refresh token for that user. This refresh token can then be used for almost permanent access to that user's mail.
Of course if the refresh token gets revoked the user needs to log in again. This can happen due to password resets for example.
If stuff will break and large amounts of money are lost if access is lost to the mail, then you really need to use app permissions.
Upvotes: 1
Related Questions
- Permission Based instead of Role Based
- How to block access to group of users with directory roles
- Restricting Member permissions on azure active directory
- Azure Active Directory Group - controlling user access
- Limit user access in Azure AD B2C
- Limit AzureAD app access to certain users / groups
- restricting multiple user login with the same userid in azure active dirctory
- Azure AD how to prevent app users from login into azure portal
- Implementing Azure Active Directory Access Control
- Azure Authentication: Only allow users with MFA enabled