Microsoft Graph API : Restrict scope of calendar.readWrite and Audit mailbox access by Application Permission

风流意气都作罢 提交于 2020-01-25 00:26:07

问题


We are using AD deployed Daemon applications that have full read/write access to user's calendar in office 365 to get meeting notifications from Graph API. We have moved away from EWS because of constant issues and MS depreciating its use.

There does not currently seem to be a way of restricting the scope of Office 365 Calendar.ReadWrite permission from the organization level to a group/user.

Fortune 500 customers are worried that our application has access to all sensitive data inside their mailboxes and not ready to provide admin consent for Calendar.ReadWrite permission. I have explained all the security measures that are in plance such as use of certificates for application identity while registering service in AD, Admin consent requirement so that we can access calendars and get/set information and also communication is secure as it is from office 365 graph API hosted in Azure to our application which is also hosted in Azure.

As AD admins they can anytime decline consent to the application but clients think that it is too late in case there is a security incident.

Still, such organization is reluctant.

Is there any way to restrict the scope of the calendar.ReadWrite permission?

Can we audit MS Graph API calls for a specific user mailbox by using office 365 management API's?

Can we disable MS Graph API call for a specific user mailbox similar to the way EWS has EWSEnabled property on the mailbox?

Is there any policy that I can set under Security and Compliance admin section of office 365 to better control such applications from an exchange admin side?


回答1:


Can we disable MS Graph API call for a specific user mailbox similar to the way EWS has EWSEnabled property on the mailbox?

Yes. Application Access Policy can be used by an exchange admin to restrict an application for a specific email or a security group.

Restricted emails return following error message :



来源:https://stackoverflow.com/questions/55706303/microsoft-graph-api-restrict-scope-of-calendar-readwrite-and-audit-mailbox-acc

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!