How to restrict Azure Entra group read permissions for a service principal to specific groups?
I need to query member details for specific Azure Entra groups (e.g., foo-A, foo-B, foo-C) using a Python script with a service principal app.
I have a working prototype in a sandbox Azure account, but the permission Group.Read.All requires admin consent, which grants the script access to all Entra groups in the Azure account. For production deployment, the system admin is concerned about this broad permission.
Is there a way to grant a more restricted permission, so the service principal can only read groups with names starting with "foo-" (e.g., foo-*), without granting access to all groups in the directory?
Note that: Microsoft Graph API permissions are tenant wide and cannot be restricted to specific users or groups.
GroupMember.Read.AllandGroup.Read.Allapplication API permissions when granted allows the application to access all groups in the tenant.GroupMember.Read.Allallows the Entra application to read memberships and basic group properties for all groups.
Hence as a workaround, as suggested by @Thomas, you can add the Microsoft Entra ID application as the owner of the group:
When you add the Microsoft Entra ID application/SP as the owner of the group, then the application can access the group without any API permissions granted to the application:
Theres no need to add any group related API permissions
I am able to access the group successfully with the Microsoft Entra ID application:
tenant_id = 'TenantID'
client_id = 'ClientID'
client_secret = 'Secret'
credential = ClientSecretCredential(tenant_id, client_id, client_secret)
token = credential.get_token("https://graph.microsoft.com/.default")
access_token = token.token
# Define the group ID you want to retrieve
group_id = 'GroupID'
url = f'https://graph.microsoft.com/v1.0/groups/{group_id}'
headers = {
'Authorization': f'Bearer {access_token}',
'Content-Type': 'application/json'
}
response = requests.get(url, headers=headers)
if response.status_code == 200:
group = response.json()
print("Group Information:")
print(f"Group Name: {group['displayName']}")
print(f"Group ID: {group['id']}")
print(f"Group Description: {group.get('description', 'No description available')}")
else:
print(f"Error: {response.status_code}")
print(response.json())
When I tried to access the group where the SP is not added as owner, got 403 error:
Reference:
Limit permissions to update a single Azure AD group via API - Microsoft Q&A by Fraczek, Rafal SW/WRO-DCDZA
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?