My organization operates a shared Azure tenant between two separate organizations.
I have a requirement to provide a third party application (working on behalf of just one of the orgs) Delegated Group.ReadWrite.All permission to Microsoft Graph.
I am just being ultra-cautious about what this may mean in terms of the tenant and both organizations, and appreciate similar questions have been posted.
So my understanding is
Group.ReadWrite.All grants the application permission to write to the O365 Group Calendar and SharePoint Group, delegated which means the application can only access Graph via a valid signed in application user?
This means whatever the signed-in user cannot do, neither can the application?
This also means that if the signed-in user has no permissions to access anything on the second organization (SharePoint site; O365 calendar) then neither can the application?
It would only be bad practice e.g. ICT accidentally adding in the wrong user etc that would result in the application having more rights than it should?
This is understandably confusing given this scope's .All suffix but your understanding is correct. It sometimes helps to use a fictitious user as an example.
Let's say we have two users, Bob and Sally:
If you provide Delegated Group.ReadWrite.All to the application:
Delegated permissions give an application to operate on behalf of a User. Regardless of the scopes granted, the application will be limited to activities otherwise granted to the User.
Application permissions on the other hand operate only on their behalf. If you were to grant Application Group.ReadWrite.All, the app would have permission to access any Group in the tenant (with some exceptions).