Background

I am trying to develop a multi-tenant SaaS application. I am trying Admin Consent model of authorization. However, I am not able to figure out scoped destination i.e how to limit ourselves to a specific group of users in an enterprise rather than all users.

I believe that not all enterprises might want us to handle all users in the beginning.

Description

I am using a client_credentials grant for authentication.

The app is meant to read a user's drive data.

Set of permissions that I am asking are:

• Files.Read.All
• Users.Read.All
• Sites.Read.All

When I ask a global admin to grant required permissions i.e, redirecting to https://login.microsoftonline.com/common/adminconsent?client_id=[my_client_id]&state=12345&redirect_uri=[my_redirect_uri]

As soon as the admin consents to the permission, it is for all the users under that tenant. This is a highly unacceptable situation for an enterprise O365 admin where he/she exposes the entire user's/drive-file's details.

Is there a way where admin consents on behalf of a particular set/group of users?

Note: Only admins are allowed to consent. I have got suggestions to use Security groups or creating Service account. Please give some pointers if they are applicable for my use case.

This isn't possible, it also isn't working the way you think it is.

To clarify, the Admin Consent process isn't consenting on behalf of "all users", it is consenting to your application accessing the tenant. When using Client Credentials, there is no User in context. When an Admin consents to your application, they are granting tenant wide (i.e. admin-level) access to the areas specified in your scopes (in this case, the ability to read any user, view any OneDrive, and read any SharePoint site).

If you want to limit access, you need to use an OAuth Grant like Authorization Code that takes a specific user's credentials. This would ensure your application only has access to the content the user has access to.