0

Further to the question raised here

Get all user properties from microsoft graph

Yes, I can obtain full user profile data using the graph query but from the perspective of the tenant, can I restrict the graph query to only be able to access the basic profile data?

Azure AD graph has delegated permissions for user.readBasic.all which restricts this. We have a 3rd party app that accesses the Azure directory to retrieve basic data to set up accounts in its user directory and we need to restrict this to the basic data due to the security risk. We cannot rely on the 3rd party just doing the right thing all the time.

So I need a way to set the app to allow app permissions (not delegated as the read occurs every 4 hours without human involvement) for user.readBasic.all.

Mondo
  • 163
  • 13

1 Answers1

0

If you want restrict the returned field from the "user.readBasic.all", the best way is you implement a custom handler(API/Service and so on). No directly official channel to do this now. (user.readBasic allows the app to read the full profile of the signed-in user, because after the user sign-in it means he has authorized the APP to get his information.)

You can check the blog for graph permission for here: https://blogs.msdn.microsoft.com/aaddevsup/2018/05/21/finding-the-correct-permissions-for-a-microsoft-or-azure-active-directory-graph-call/

And for the detail of the "user.readBasic.all" you have pointed from official link(https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#user-permissions) Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user.

Seiya Su
  • 1,836
  • 1
  • 7
  • 10
  • If you donot want the 3rd app to read full profile from your aad, you should not grant them the permission to your aad. A custom api for them should be the best choice for your concern of security risk. – Seiya Su Aug 04 '18 at 05:48
  • I don't need to restrict the return from the user.readBasic.all, I want this permission to be available as an app permission. Currently all I can use is Directory.Read.all which is too open. – Mondo Aug 05 '18 at 22:26
  • Because what you want is not int the current api, so I think you can submit a request in the UserVoice:https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/category/101632-microsoft-graph-o365-rest-apis – Seiya Su Aug 06 '18 at 01:23
  • If you still want to set the "Read all users' basic profiles" in the azure portal "not delegated", we cannot do it now. The "Read all users' basic profiles" is not default app permission. – Seiya Su Aug 06 '18 at 01:47
  • Thanks. I've submitted a request. – Mondo Aug 07 '18 at 11:03