2
votes

Is it possible to grant an application being registered with an Azure Active Directory (tenant) permission to view some, but not all, groups? There's the Groups.Read.All permission, but the customers of the application in question don't wish to expose all groups (and users) in the AD to the application.

Potentially, having some group of groups that the application can view, or similar (a puppet user in all relevant groups?) might work, but it would be nice to be able to specify a subset of the AD to grant access to.

Application roles are not in use, as one of the selling points of the application is the ability to dynamically create roles, and as far as I know, this isn't possible. The purpose of these groups is for authorization, and it would be advantageous for the customer to manage group membership directly in Azure AD, not only in the application.

As a concrete example, how can an application integration be configured during registration with a customer's Azure AD such that it has access to groups D,E, and F (that are elements in group C), but not be aware of groups G or H (not in C)? Ideally, a user A could be a member of all the groups, and the application wouldn't be aware of G or H.

thanks!

1
AFAIK, you can't limit the set of groups the app can view. If there was a permission like with apps which allows an app to create other apps and manage those apps, then the app could create the groups by itself, but be unable to manage any other groups. If an app could be assigned as an owner of a group, this might also be possible, but it does not seem possible :(juunas

1 Answers

1
votes

There is no way to limit access the metadata for all the Groups (i.e. reading the group names, membership roles, etc.). This shouldn't, however, be confused with access the contents of a Group. The Groups.Read.All scope will only return a group's content if the authenticated user has permission to access it.

For example, I can read the properties for a Group using /v1.0/groups/{id} but if I'm not a member (or owner) of that Group, I will get an exception if I attempt to call /v1.0/groups/{id}/conversations:

{
    "error": {
        "code": "ErrorAccessDenied",
        "message": "Access is denied. Check credentials and try again.",
        "innerError": {
            "request-id": "1eab6eea-d666-46e8-926a-922f34dd4b51",
            "date": "2018-06-08T20:47:58"
        }
    }
}