Menu
We have a big organization spread across different locations and some of them want to grant permissions for applications in Azure AD which request access to read and manage email data. Is there any way to only allow the application to access a specific set of users based on a security group or attribute?
Now the application gets access to "Read and write mail in all mailboxes" which is a big security concerns for our organization.
Screenshot for application API permissions
257
asked Sep 08 '25 15:09
As far as I know, microsoft graph application permissions can't be limited, it is for the entire tenant. But we can use New-ApplicationAccessPolicy command as juunas suggested to restrict your app to target mailboxes.
New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "{appID}" -PolicyScopeGroupId [email protected] -Description "Restrict this app to members of security group EvenUsers."
To create a mail-enabled security group, you can login this page and refer to this tutorial. Put the specific set of users into the security group, then your app will only be granted access to the data of the specific set of users.
146
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
