Defining Application Scope

Once an application has been registered it will have limited access to resources in its tenant.

Default Permissions

Defining application scope allows an administrator to provide access to API resources at either User or Administrator level. The application will need to authenticate its action first, and then once authenticated can only access what is within it’s scope.

Often developers will add more scope than is required, this is a bad security practice, please don’t be this developer. It is tempting to do this, especially in quick solutions - but too often a pilot ends up as production and this could potentially allow invasive levels of access to the tenant.

Practice the principal of least privilege as much as practical. If not possible other compensating controls should be implemented and will be discussed later in the workshop.

Overview of Graph Api Permissions

Enhance security with the principle of least privilege