Restrict app permissions to scopes (required by large organizations)
If my app gets permission to access "calendar write", I can modify ALL mailbox calendars.
Large organizations would love to restrict Apps just for specific objects, like my app only can write to calendars of users *@contoso.com or of users that are member of security group "Contoso" or similar...
Any plans on that topic?
Martin Kolb commented
Especially for germany this has a huge impact, since I am not able to get a consent for an app permission that can read all private calendar events of everyone in the organization. The work councils of our customers will never allow such a piece of code.
The administrator needs to have the granular option to restrict permissions on a calendar similar to delegated permissions on a shared calendar (free busy / title only / … ).
Currently, we are running with a service account, but this has bad side effects: It consumes an exchange online license, and currently it's not possible to create Graph subscriptions for shared calendars within the user context.
Thanks in advance!
I am looking forward the restriction of app permissions. Usually, in real world, app read/write whole company/organization's data is not accept by admin and i really understand admin since nobody likes exposing his emails/calender/tasks to a "unkonw" app for him.