How to limit Microsoft Graph permissions for an Azure app registration?

0
votes

I'm struggling to find out how to limit the permissions of an Azure app registration to call the Microsoft Graph APIs (for example to send emails). The email in this case must be sent in an unattended scenario (no user present) by an application.

To call Microsoft Graph APIs, consent must be granted for the entire organization by a Global Application Administrator. This is often a huge ask for an admin to consent to an app being able to send emails on behalf of any user in the entire org!

Is there a way to setup an app registration to be able to send emails by an application for only a specific email address? For example, can the app be allowed to send emails as [email protected] (unattended without a user), but not as any other user in the organization?

In order words, how can we setup an app registration to send emails through the Microsoft Graph API only as a particular user (i.e. service account) without needed to grant the app permissions to send emails on behalf of any user in the entire organization? Is this possible?

1
azureazure-active-directorymicrosoft-graph-api
You need to setup scoping docs.microsoft.com/en-us/graph/auth-limit-mailbox-access for your app - Glen Scales

1 Answers

0
votes

As @Glen Scales commented,This document can meet your needs.

Administrators who want to limit the app access to a specific set of mailboxes can use the New-ApplicationAccessPolicy PowerShell cmdlet to configure access control. This article covers the basic steps to configure an application access policy.

These steps are specific to Exchange Online resources and do not apply to other Microsoft Graph workloads.