0

For security and privacy reasons I would like to limit the data fields that an app with Application permissions is able to receive from MS Graph API. My end goal is to be able to display free calendar slots of members of an certain Active Directory security group for a partner company.

I can use ApplicationAccessPolicy to limit the applications Graph API access to desired AD group. I have not yet been able to find a way to prelimit the data to only contain limited set of fields. Having a man in the middle type of API that would limit the data using select queries on Graph API and then passing it forward is not an ideal solution as we need to take internal misuse in to consideration. The only acceptable solution would be to somehow do the limiting in the Azure portal so that the Graph API can only give out limited data.

Nishant
  • 623
  • 4
  • 10
Nisu
  • 1
  • 1
  • 2
    You can use the ['select' Odata query](https://learn.microsoft.com/en-us/graph/query-parameters#select-parameter) which gives the selected fields data. For example if you hit the **/users?$select=id,dispayName** endpoint, you will be getting only id and displayname from graph server. – Shiva Keshav Varma Sep 04 '20 at 07:39
  • Using Select has been addressed in the original question. It is not a viable option as during production developers might change the code and get access to sensitive information. I am looking for a way limit the data the Graph API can respond to create least privilege access that mitigates internal misuse. – Nisu Sep 04 '20 at 09:42
  • Currently there is no such feature, you can however voice your interest in such a feature or support similar ones in the [Microsoft Graph Feedback Forum](https://microsoftgraph.uservoice.com/forums/920506-microsoft-graph-feature-requests). – Shiva Keshav Varma Sep 07 '20 at 09:46
  • Thanks! I wound "Add Calendars.ReadBasic minimum permission for getSchedule" suggestion from the Feedback Forum. It would solve the security and privacy issues present in my use case so I voted for it. – Nisu Sep 07 '20 at 12:06
  • Hi Nisu, as Shiva has said, it's not supported to limit the fields in Graph or Azure portal. Can you add an answer about the user voice suggestion as a summary so that other people who have the same requirement can go there to vote? – Allen Wu Sep 09 '20 at 02:57

1 Answers1

0

You can use the 'select' Odata query which gives the selected fields data. For example if you hit the /users?$select=id,dispayName endpoint, you will be getting only id and displayname from graph server.

If you want to limit access on the selected field, unfortunately there is no such feature as of now.however voice your interest in such a feature or support similar ones in the Microsoft Graph Feedback Forum.

Shiva Keshav Varma
  • 3,398
  • 2
  • 9
  • 13