How to restrict application permission to one accounts only

Question

Hi,

I created an App registration at https://portal.azure.com/, then added certificate client credentials.

added api permittions:

I'm able to get all user profiles and drives via Python application using Graph URI:

https://graph.microsoft.com/v1.0/users/
https://graph.microsoft.com/v1.0/user//drives/

But I need to restrict access to onedrive - get files of the specific user only.

Please help
Thanks in advance.

Accepted Answer

Hi @Jack Grub

Have you created read or write permissions correctly? You should create read or write permissions and then grant your application the Sites.Selected application permission, then your application can access the selected site collections.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer

Hi @Jack Grub

Of course, you can restrict which site collections (drives) your application can access, refer to: https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer

Added API permission:

Get all sites:

https://graph.microsoft.com/v1.0/sites/

Post permission for site:

https://graph.microsoft.com/v1.0/sites//permissions

data = {
"roles": ["write"],
"grantedToIdentities": [{
"application": {
"id": "",
"displayName": "test"
}
}]
}

Get permission of site:

https://graph.microsoft.com/v1.0/sites//permissions

empty response

Any idea?

Answer

Hi @Jack Grub ,

Microsoft Graph exposes application permissions for apps that call Microsoft Graph under their own identity. Application permissions are used by apps that run without a signed-in user present. Hence it is not possible to restrict Microsoft Graph application permission to one specific user account only. Please note that application permisions are full level permisions are granted to you app registred in Azure AD.

For application permissions, the effective permissions of your app are the full level of privileges implied by the permission. For example, an app that has the Files.Read.All application permission can gets the files from any user's OneDrive files in the organization.

For delegated permissions, the effective permissions of your app are the least-privileged intersection of the delegated permissions the app has been granted (by consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. For example, an app that has the Files.Read.All delegated permission only can read all files the signed-in user have access to.

References :

https://learn.microsoft.com/en-us/graph/auth/auth-concepts#effective-permissions-in-delegated-vs-application-only-permission-scenarios

Hope this helps.

If the answer is helpful to you, please click "Accept Answer" and kindly upvote it. If you have additional questions about this answer, please click "Comment".

Answer

Is it possible to restrict access to some site's documents?

How I can specify these selected sites?

How to restrict application permission to one accounts only

4 additional answers