Is it possible to grant an application being registered with an Azure Active Directory (tenant) permission to view some, but not all, groups?
There's the Groups.Read.All
permission, but the customers of the application in question don't wish to expose all groups (and users) in the AD to the application.
Potentially, having some group of groups that the application can view, or similar (a puppet user in all relevant groups?) might work, but it would be nice to be able to specify a subset of the AD to grant access to.
Application roles are not in use, as one of the selling points of the application is the ability to dynamically create roles, and as far as I know, this isn't possible. The purpose of these groups is for authorization, and it would be advantageous for the customer to manage group membership directly in Azure AD, not only in the application.
As a concrete example, how can an application integration be configured during registration with a customer's Azure AD such that it has access to groups D
,E
, and F
(that are elements in group C
), but not be aware of groups G
or H
(not in C
)?
Ideally, a user A
could be a member of all the groups, and the application wouldn't be aware of G
or H
.
thanks!