We are using AD deployed Daemon applications that have full read/write access to user's calendar in office 365 to get meeting notifications from Graph API. We have moved away from EWS because of constant issues and MS depreciating its use.
There does not currently seem to be a way of restricting the scope of Office 365 Calendar.ReadWrite permission from the organization level to a group/user.
Fortune 500 customers are worried that our application has access to all sensitive data inside their mailboxes and not ready to provide admin consent for Calendar.ReadWrite permission. I have explained all the security measures that are in plance such as use of certificates for application identity while registering service in AD, Admin consent requirement so that we can access calendars and get/set information and also communication is secure as it is from office 365 graph API hosted in Azure to our application which is also hosted in Azure.
As AD admins they can anytime decline consent to the application but clients think that it is too late in case there is a security incident.
Still, such organization is reluctant.
Is there any way to restrict the scope of the calendar.ReadWrite permission?
Can we audit MS Graph API calls for a specific user mailbox by using office 365 management API's?
Can we disable MS Graph API call for a specific user mailbox similar to the way EWS has EWSEnabled property on the mailbox?
Is there any policy that I can set under Security and Compliance admin section of office 365 to better control such applications from an exchange admin side?
