Can Microsoft Graph App Only Permissions be restricted?

Question

I am developing an app to manage room bookings via Microsoft Graph. In the end, the app needs to read and cancel meetings that are booked into a certain room resource account.

Unfortunately, there is only the permission Calendars.ReadWrite which gives the app permissions to read and write every users calendar in the tenant, including private appointments.

I have not found any possibility to restrict the permissions or specify them more granular.

Does anyone know how to deal with this? (Or do I have to fall back again to service accounts and the old exchange web services, where I can give granular permissions to that service account?)

Thanks a lot in advance!

Answer 1

You can now restrict the calendar/mailbox access an app will have using the New-ApplicationAccessPolicy PowerShell cmdlet. Using this you set the application up to use application permissions and then create an application access policy to limit the scope of these permissions.

There's an easy to follow guide on MS docs on how to set this up:

MS docs limit mailbox access

Answer 2

Application permissions imply the full the level of privileges of that scope, referenced here. If you are scoping this specific mailboxes/calendars, you use delegated permissions with a functional account that has delegated permissions on those resources. We've had to do that before. It sucks, but that is the nature of App Permissions versus Delegate.

If you have are trying to script this, you could try the "client_secret_post" authentication method for the token acquisition mentioned here and in more detail with the OpenID Connect Spec and the OAuth 2.0 Spec.