1. Overview
  2. Nextcloud Exchange Connector
  3. Restricting App Access to Specific Data Types (Graph API)

Restricting App Access to Specific Data Types (Graph API)

By default, a Microsoft Entra App Registration granted broad permissions can access multiple data types across the tenant. To adhere to the principle of least privilege, you can restrict the application so it only accesses specific types of data—for example, synchronizing only calendars while explicitly blocking access to contacts and email.

You can achieve this simply by removing the unnecessary API permissions from your App Registration.

Step 1. Navigate to API Permissions

  1. Open a browser and log in to the Microsoft Azure Portal.

  2. Navigate to Entra ID > App registrations.

  3. Select your registered application for the Nextcloud Exchange Connector.

  4. In the left-hand sidebar, click on API permissions.

Step 2. Remove Unnecessary Permissions

  1. Review the list of configured permissions.

  2. Identify the data types you do not want the connector to access (e.g., Contacts.ReadWrite or Mail.ReadWrite).

  3. Click the context menu (three dots) next to the unnecessary permission and select Remove permission.

Step 3. Retain Required Permissions

Ensure that you keep only the exact permissions required for your specific synchronization goals. For example, if your organization only wants to sync calendars, you should leave only Calendars.ReadWrite and User.Read.All active in the permissions list.

Step 4. Grant Admin Consent

Warning: Re-apply Consent

Whenever you modify permissions in Microsoft Entra, you must apply the changes at the organizational level.

  1. Click the Grant admin consent for [Your Organization] button.

  2. Accept the prompt to finalize your new, restricted security scope.

Expected Result

Once the changes propagate, the Microsoft Graph API will automatically enforce these boundaries. If the app only possesses the Calendars.ReadWrite permission, any synchronization request aimed at a user's contacts or mail will be instantly rejected by Microsoft, returning a 403 Forbidden error.

Advanced Combination (Who + What)

You can combine this data-type restriction with an ApplicationAccessPolicy to achieve the ultimate level of security control.

By using both methods simultaneously, you can restrict exactly what data the application can access (e.g., Calendars only) and whose data it can access (e.g., only users in a specific Mail-Enabled Security Group). To learn how to restrict access by users, refer to our Restricting App Access to Specific Users guide.

Last updated April 9, 2026
Was this article helpful?