Restricting App Access to Specific Data Types (Graph API)
By default, a Microsoft Entra App Registration granted broad permissions can access multiple data types across the tenant. To adhere to the principle of least privilege, you can restrict the application so it only accesses specific types of data – for example, synchronizing only calendars while explicitly blocking access to contacts and tasks.
You can achieve this simply by removing the unnecessary API permissions from your App Registration.
Pre-requirement
Before applying these advanced restrictions, ensure you have already registered your application and configured the base Microsoft Graph API permissions.
To review the base setup process, refer to the Configuring Microsoft 365 (Graph API) article.
Step 1. Navigate to API Permissions
Open a browser and log in to the Microsoft Azure Portal.
Navigate to Entra ID > App registrations.
Select your registered application for the Nextcloud Exchange Connector.
In the left-hand sidebar, click on API permissions.
Step 2. Map Permissions to Your Sync Mode
Review the list of configured permissions. You must ensure that the permissions you keep in Microsoft Entra perfectly align with the Service__SyncMode parameter in your connector's .env file.
If you remove an API permission here but leave the corresponding Sync Mode enabled in your .env file, the application will encounter 403 Forbidden errors when attempting to access that data.
Use the table below to determine which permissions to keep or remove based on your desired synchronization scope:
Graph API Permission | Affected Data Type | Required .env Configuration (Service__SyncMode) | Description |
| Identity | Mandatory for all modes | Must always be kept. The application requires this to read user profiles and resolve identities across platforms. |
| Calendars | Requires | Keep this if you want to sync calendar events. If removed, you must ensure |
| Contacts | Requires | Keep this if you want to sync address books and contacts. If removed, you must ensure |
| Tasks | Requires | Keep this if you want to sync tasks. If removed, you must ensure |
Example: If you strictly want to synchronize Calendars (and block Contacts and Tasks), you should remove Contacts.ReadWrite permission, and ensure your .env file is set to Service__SyncMode=1. To sync Calendars and Contacts, ensure both permissions are present, and your .env is set to 3 (1 + 2).
Warning: Undocumented Graph API Behavior for Tasks
Currently, the Microsoft Graph official documentation states that Tasks.ReadWrite.All with app-only authentication only officially supports reading tasks. While writing (creating/updating/deleting) tasks may currently function in practice, this relies on undocumented behavior that Microsoft could alter or break in future updates without warning.
To delete a permission, click the context menu (three dots) next to the unnecessary permission and select Remove permission.
Step 3. Grant Admin Consent
Warning: Re-apply Consent
Whenever you modify permissions in Microsoft Entra, you must apply the changes at the organizational level.
Click the Grant admin consent for [Your Organization] button.
Accept the prompt to finalize your new, restricted security scope.
Expected Result
Once the changes propagate, the Microsoft Graph API will automatically enforce these boundaries. If the app only possesses the Calendars.ReadWrite permission, any synchronization request aimed at a user's contacts or tasks will be instantly rejected by Microsoft, returning a 403 Forbidden error.
Advanced Combination (Who + What)
You can combine this data-type restriction with Exchange Online Role-Based Access Control (RBAC) for Applications to achieve the ultimate level of security control.
By using both methods simultaneously, you can restrict exactly what data the application can access (e.g., Calendars only) and whose data it can access (e.g., only users in a specific Mail-Enabled Security Group). To learn how to restrict access by users, refer to our Restricting App Access using RBAC for Applications guide.