Pascal R.
Reputation: 2323
How to scope a specific Graph API permission to a specific user or mailbox
According to Microsoft Docs, there is a way to scope Graph API application permissions to specific users / mailboxes with a command like this:
New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId EvenUsers@contoso.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."
In this case, the application can use all its allowed application permissions (e.g. Mail.Send, Calendars.Read) on the members of the group EvenUsers.
But what if I want to scope a specific permission to a specific group? For example, the application is allowed to send mails as users in group X and is allowed to read the calendars of the users in group Y but not vice versa.
Is this possible?
Upvotes: 1
Views: 831
Answers (1)
Dev
Reputation: 2464
As far i know, its applicable to specific users or mailboxes; not heard for groups(see comment)- Still if you think you need such granular permissions consider filing an uservoice or upvote to the related ones, so Microsoft can consider implementing it. The closest uservoice i remember is this.
Upvotes: 1
Related Questions
- What is the Correct Microsoft Graph API Permission for Reading Mailbox to specific user only
- Microsoft Graph API : Restrict scope of calendar.readWrite and Audit mailbox access by Application Permission
- Microsoft Graph Outlook application permissions for a particular mailbox only
- Give mailbox permissions from graph api
- MS graph api - scope access to particular user inbox
- Can Microsoft Graph App Only Permissions be restricted?
- Microsoft Graph Service/Daemon Access Specific Shared Mailbox
- Microsoft Graph API and shared calendar permissions
- Restrict Microsoft app access to MS Graph emails for a single user
- Microsoft Graph access token for single user within Outlook add-in