问题
I created the app on Azure AD.
The application works fine.
By the way, I wanted to make this app's permissions smaller.
First, I want to limit the schedule that this app can view. For example, the application can see user A's schedule, but not user B's schedule, and so on. User A and User B are registered on the same Azure AD.
Second, I want to limit the users who can impersonate themselves as email senders. For example, user C can send a mail, but user D can't send a mail.
Is there a better way to do it?
Thank you.
回答1:
As @juunas suggested, Microsoft Graph Application permissions can't be limited. It is for the entire tenant.
But you can use New-ApplicationAccessPolicy to restrict your app to target mailboxes.
For example:
New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "{appID}" -PolicyScopeGroupId EvenUsers@AppPolicyTest2.com -Description "Restrict this app to members of security group EvenUsers."
You can put user A and C into the security group EvenUsers. Then your app is only granted access to the data of user A and C.
来源:https://stackoverflow.com/questions/60830472/is-there-a-way-to-weaken-the-permissions-of-the-apps-i-create-on-azure-ad