Granting API access to specific users

Kyle Barr 11 Reputation points
2020-05-20T20:04:28.363+00:00

Our organization has a couple dozen special email accounts (Exchange). No users manually sign into them, but we have a native app that manages the accounts automatically.

I've registered the app in Azure, but I'm having trouble deciding which route to go with the permissions. Delegated permissions doesn't feel right because users never manually sign into these accounts. The app has the account credentials so it could log in, but I don't think there's a way for it to accept permissions like that. Application permissions feels like overkill, and likely a security issue to grant the app access to so many users it doesn't need.

Is there a way to automatically grant permission to a small set of users? Either individually, or by putting them in a group and granting permissions to that group?

Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,083 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,646 Reputation points
    2020-05-21T01:54:02.953+00:00

    Hi @Kyle Barr , You can choose to go with delegated or application permissions based on how the application is going to access the resources.

    Delegated permissions should be used when you want the application to perform certain actions on behalf of a user. For example, allow application to access directory data as signed in user.

    Application permissions should be used when there is no user involved in the process. In case the application authenticates using client_credentials flow and gets a token issued to the application itself. In this case application will access directory data in it own context and not on behalf of a user.

    Is there a way to automatically grant permission to a small set of users?
    This is possible if each use in that specific set provides consent to the application to access resources on their behalf or an admin adds the specific set of users to a specific directory role. You cannot provide admin consent to grant permissions to a specific set of users. Admin consent grants approved access for all users in the tenant.

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.
    0 comments
  2. Vasil Michev 107.7K Reputation points MVP
    2020-05-20T20:24:46.427+00:00

    Depends on what the app is supposed to do. If accessing/managing mail items and such, the Graph API can be a good match and you can restrain the permissions to specific mailboxes via application access policies: https://practical365.com/exchange-online/application-access-policies-in-exchange-online/

    EWS is another option, but if you are going to use it in the application permissions model, it cannot be scoped. You can however create a separate account just for said app to use, and limit its permissions. If the app needs to also perform management tasks, the Graph API currently doesn't cover a thing, so you'll have to use PowerShell and limit it via management scopes and such.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.