How to Set Up Granular Permissions for App Registrations?

0
5
Asked By CuriousCoder42 On

I'm trying to figure out how to create app registrations with more granular permissions rather than giving blanket access to all users or mailboxes. I understand that using mail-enabled security groups is one approach, but that only handles mail permissions. I'm interested in how to set granular permissions for other services, like the DeviceManagementService. Any advice on how to tackle this?

4 Answers

Answered By DevGuru88 On

If you're looking at achieving least privilege for your app registrations, it often requires using separate SaaS apps and client IDs for specific permissions. Unfortunately, most app and development teams create a single app with all the permissions because the roles aren’t well defined in their applications. If granular permissions are essential, you might have to create new apps tailored to specific Graph permissions.

Answered By SecuritySavvy On

Don’t forget about using conditional access! It can help you regulate how permissions are applied and ensure that access remains secure.

Answered By TechieTommy On

When it comes to App Registrations, most Microsoft Graph application permissions tend to be tenant-wide. While there are a few exceptions, like SharePoint which allows for some granularity with Sites.Selected for specific sites, options are limited for other services. Unfortunately, it seems that Intune for DeviceManagementService does not provide granular permission settings either.

Answered By UserRightsWatcher On

The permissions associated with an access token request are tied to the User Principal, meaning the granularity is influenced by the token's scope. Just keep in mind that the permissions of the User Principal are what will ultimately dictate what can be accessed in the target resource.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.