How can I limit an application access to view only a subset of the users in Microsoft Graph API, MS Teams endpints?

Question

What are the methods to restrict an application, that is using the Microsoft Graph API to fetch users conversations, access so that it can only view data of Microsoft Teams endpoints for a specific subset of users, ?

Answer 1

No. Most Graph permissions provide unscoped access to the corresponding object types. I.e. User.Read.All allows you to read the properties of all users objects. There are some workload-specific functionalities that allow you to restrict this, such as Application access policies/RBAC for Applications for Exchange, or the Sites.Selected scope for SharePoint Online. But nothing on directory objects.

Answer 2

Hi Noga Malach,

Thank you for reaching out to Microsoft!

At present, there's no method to restrict an application's access to view only a subset of users within Microsoft Graph API related to MS Teams endpoints.

However, we do offer this capability for:

• Exchange Online: You can limit application permissions to specific Exchange Online mailboxes. Limiting application permissions to specific Exchange Online
• SharePoint Online: You can use the Sites.Selected permission to control application access to specific SharePoint sites. Applications that use Sites.Selected permissions for SPO sites

Since this feature/functionality is presently not available, you can submit a feature request idea using support link, which will be monitored by Microsoft team and make the enhancements to Microsoft Graph APIs.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.