可以限制Microsoft Graph App Only权限吗? [英] Can Microsoft Graph App Only Permissions be restricted?

问题描述

我正在开发一个应用程序，用于通过Microsoft Graph管理客房预订.最后，该应用需要阅读和取消预订到某个会议室资源帐户中的会议.

I am developing an app to manage room bookings via Microsoft Graph. In the end, the app needs to read and cancel meetings that are booked into a certain room resource account.

不幸的是，只有权限Calendars.ReadWrite赋予应用程序读取和写入租户中每个用户日历的权​​限，包括私人约会.

Unfortunately, there is only the permission Calendars.ReadWrite which gives the app permissions to read and write every users calendar in the tenant, including private appointments.

我还没有发现限制权限或将其指定为更细粒度的可能性.

I have not found any possibility to restrict the permissions or specify them more granular.

有人知道如何处理吗? (还是我必须再次退回到服务帐户和旧的Exchange Web服务，在这里我可以为该服务帐户提供精细的权限?)

Does anyone know how to deal with this? (Or do I have to fall back again to service accounts and the old exchange web services, where I can give granular permissions to that service account?)

非常感谢！

推荐答案

应用程序权限隐含了该范围的全部特权级别，引用了

Application permissions imply the full the level of privileges of that scope, referenced here. If you are scoping this specific mailboxes/calendars, you use delegated permissions with a functional account that has delegated permissions on those resources. We've had to do that before. It sucks, but that is the nature of App Permissions versus Delegate.

如果您要对此编写脚本，则可以尝试使用

If you have are trying to script this, you could try the "client_secret_post" authentication method for the token acquisition mentioned here and in more detail with the OpenID Connect Spec and the OAuth 2.0 Spec.

这篇关于可以限制Microsoft Graph App Only权限吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！