Managing Excessive Permissions with Graph API in Azure

Just a heads up—there's an important difference between Application and Delegated permissions. Application permissions can access all users in the tenant with no user-context. But Delegated permissions are scoped to what the signed-in user can access based on their roles and group memberships when using User.Read.All in that context.

For the User.Read.All issue? I haven't messed with creating a middle-man application for adding granular scopes. Instead, I rely on Restricted Administrative Units for highly sensitive accounts to manage permissions effectively. But I feel that if I'm hesitant about deploying an app with a Directory Reader role, maybe it’s best to skip it altogether.

This is definitely a growing issue with more tools leaning on Graph. What works for us is regularly exporting our service principals and Graph permissions and highlighting anything with too broad access, such as Directory.ReadWrite.All. Seeing this in a report makes it clearer to discuss whether those permissions are really necessary. We also do a quick review of new app registrations before they launch, which helps prevent the risk of giving everything wide-ranging permissions.

You might want to check out some governance features if you have the right licensing. There’s a resource I found that discusses managing app permissions: https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance#app-governance-features. It’s wise to take a risk-based view on permissions. Classify permissions as 'privileged' or sensitive and assign risk levels; for instance, Directory.ReadWrite.All is super risky and shouldn't be assigned to any app. On the other hand, read permissions shouldn’t be a big issue unless you're dealing with PII.