We have an app that allows scanning mailboxes in Exchange Online (Office 365). This app works fine, using the Microsoft Graph API User.Read.All permission to first fetch all users, and then Mail.Read to read their mailboxes.
Problem: One customer wants to restrict our app to work over a single mailbox, as a test of our app, without granting our app access to their whole tenancy.
It looks like this is possible using a "mail-enabled security group": https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access . So the Mail.Read permission is not a problem.
But our app also lists users, so it needs the User.Read.All permission. I cannot figure out how to set this up for the "security group". Any ideas?
