I have an Entra ID setup where I need to allow an external service to access a list of users. Those users come from 2 groups.
The goal is to allow this external service to get the emails of those users and only those ones, not all emails in the tenant.
I created an app with API permissions, thinking that it would be possible to give an API access to the external service with only the data of the users assigned to that app.
What I tried:
- Tried with User.Read.All or User.ReadBasic.All but it lets the external service can view all users in the tenant.
- Tried with GroupMember.Read.All which is almost good but it does not return the email of the users unless I enable solution 1 with User.ReadBasic.All.
Is there a way to achieve this goal without giving the privilege to list all users in the tenant ?
Or maybe another approach than with an app ?
Note that: When you add or grant delegated
User.Read.All/GroupMember.Read.All, by default the user signing in to the application will be able to fetch all the users in the tenant.
- Hence you can just restrict users to use the application by adding them in Users and groups.
- If the access token generated by the user contains
User.Read.All/GroupMember.Read.All, then the user can access all users in the tenant. - Hence, it is not possible to allow users to access only subset of users.
If you grant User.Read then the user cannot fetch all the users in the tenant. The signed in user details can only be fetched.
There is no way to achieve your requirement, grant User.Read.All API permission
User.Read.AllAPI permission when granted allows to Read all users’ full profiles.
Generated access token and called the below API:
GET https://graph.microsoft.com/v1.0/users
Reference:
How to limit the scope of User.Read.All to specific subset of users – Microsoft Q&A by Vasil Michev.