We have a web application that OAuth with Office 365 using Azure AD. We are trying to restrict the resources we have access to. Example: The authentication user have access to Site1, Site2 and Site3. We want to limit our application access to Site1 only. Does any one know if this is possible? I tried to go over Office 365, Azure AD and even Discovery API documentation, but I couldn't find anything helpful.
2 Answers
0
votes
Did you also register the site1, site2 and site3 on the Azure AD? If I understood correctly, we can config the app manifest for the site1, site2 and site 3 to set the require permission like below(refer to here)
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application full access to the Todo List service on behalf of the signed-in user",
"adminConsentDisplayName": "Have full access to the Todo List service",
"id": "b69ee3c9-c40d-4f2a-ac80-961cd1534e40",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application full access to the todo service on your behalf",
"userConsentDisplayName": "Have full access to the todo service",
"value": "user_impersonation"
}
],
Then we need to assign the web app with right permission as the Microsoft build service like figure below:
The last step is that site1, site2, site3 need to verify whether the request has the permission to visit the resource via analyze the scope in the access token.
0
votes
In order to manage Authorization by user you should implement Role Base Access Control, in this link you will find an example using Azure AD https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims
