Precondition:  The O365 application must already be created as described in Azure and O365 Applications


Large enterprise customers using O365 will often restrict user consent to applications and instead enforce tenant consent for users to applications.

The use case below describes an alternative method to reduce an Application's access to specific O365 users or groups. This is made possible using the User- and Group-based permissions as described below.


To make changes to the configured Users and Groups you must follow the process explained below. It is highly recommended doing this is during out of working hours as setting the "Public Client" to "no" in the steps below will disable the Luware integration with O365 until it's changed back to "yes".

(lightbulb) Tip: Modifying users and groups using PowerShell instead does not require the "Public Client" changes. More details can be found here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal

Temporarily Disable Authentication

  1. Login to the Azure Portal as the Enterprise Application Owner.
  2. Navigate to "App Registrations".
  3. Search for the Azure application name configured in the preconditions and Click to open its configuration.
  4. Navigate to "Authentication".
  5. Configure the Authentication settings:
    1. Public Client: No

  6. Click "Save"

    Public Client set to No

Adjust Application Properties

  1. Navigate to "Enterprise Applications"
  2. Search for the Application name configured in the preconditions, our example is called "Graph Permissions - CI Test"
  3. Navigate to "Properties"
  4. Configure the Application Properties:
    1. Enabled for Users to sign-in: Yes
    2. User Assignment Required: Yes
    3. Visible to Users: No
  5. Click "Save"

    Enterprise Application Properties

User and Group Permissions

  1. Navigate to Users and Groups
    1. Click "Add User"
    2. Click "Users"
    3. Search for the User/s or Group/s that will be access by the Application as mailboxes or calendars.
    4. Select the required user/s or group/s.
    5. Click "Select"

      Users and Groups

Re-Enable Authentication

  1. Navigate to "App Registrations"
  2. Search for the Application name configured in the preconditions, our example is called Graph Permissions - CI Test
  3. Navigate to "Authentication"
  4. Configure the Authentication settings:
    1. Public Client: Yes

  5. Click "Save"

    Public Client set to Yes
  6. (tick) Done! Now only the users and groups configured will be accessible by the Luware Application.