Restricting Microsoft Graph (or Azure AD Graph) read permissions

0
votes

Further to the question raised here

Get all user properties from microsoft graph

Yes, I can obtain full user profile data using the graph query but from the perspective of the tenant, can I restrict the graph query to only be able to access the basic profile data?

Azure AD graph has delegated permissions for user.readBasic.all which restricts this. We have a 3rd party app that accesses the Azure directory to retrieve basic data to set up accounts in its user directory and we need to restrict this to the basic data due to the security risk. We cannot rely on the 3rd party just doing the right thing all the time.

So I need a way to set the app to allow app permissions (not delegated as the read occurs every 4 hours without human involvement) for user.readBasic.all.

1
azure-active-directorymicrosoft-graph-api

1 Answers

0
votes

If you want restrict the returned field from the "user.readBasic.all", the best way is you implement a custom handler(API/Service and so on). No directly official channel to do this now. (user.readBasic allows the app to read the full profile of the signed-in user, because after the user sign-in it means he has authorized the APP to get his information.)

You can check the blog for graph permission for here: https://blogs.msdn.microsoft.com/aaddevsup/2018/05/21/finding-the-correct-permissions-for-a-microsoft-or-azure-active-directory-graph-call/

And for the detail of the "user.readBasic.all" you have pointed from official link(https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#user-permissions) Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user.