I have an Azure App Registration, secured by a cert, created following these steps. The App Registration is setup with Admin consent to the outlook.com mail, calendar and contact APIs, such that an OAuth access token can be acquired for any user within the tenant without any action required of the individual user (i.e. no individual user sign-in or consent is necessary).
The code that acquires the access token from the App Registration is as follows:
var cert = new X509Certificate2(<certFromSecureLocation>)
var clientCredential = new ClientAssertionCertificate(<ApplicationId>, cert);
var authContext = new AuthenticationContext("https://login.windows.net/somecompany.com");
var result = await authContext.AcquireTokenAsync("https://outlook.office.com", clientCredential);
var accessToken = result.AccessToken;
With the access token, requests can be made to the Office APIs for any user within the tenant - ex:
GET https://outlook.office.com/api/v2.0/users/any.user@somecompany.com/MailFolders
Host: outlook.office.com
X-AnchorMailbox: any.user@somecompany.com
Authorization: Bearer <ACCESS_TOKEN>
Accept: application/json
Accept-Encoding: gzip, deflate
Is it possible to set up an App Registration such that an Admin can grant consent to APIs for a specific set of users or groups so that not all data for all users is potentially exposed? Or is there a way to exclude users or groups from the App Registration such that the OAuth access token cannot be used against their accounts?
Or is there a different approach all together that can achieve the same result of being able to acquire an access token for a set of users that the admin grants, without requiring end-user interactions?
This article seems like it is in the right neighborhood of the solution but does not seem to apply to this specific kind of setup. I can turn on User assignment required for the App Registration and have a specific set of users assigned to it, but am still able to use the access token for any user within the tenant.
I afraid there is no such way to access a set of users. If the access token contains A permission, it will be able to access all the data which A permission allowed.