Folder Permissions (Without File Permissions)

Steve 4848 11 Reputation points
2022-05-07T13:26:52.843+00:00

I have an application that needs to browse a user's folder structure and then write files into that selected folder destination. Currently, I can accomplish this by requiring the "Files.ReadWrite.All" permission. However, from a least privileges security standpoint, it would be ideal if I could request "Folders.ReadWrite.All" and "Files.Write.All". This would allow the application to browse and create folders as well as writing the files to the appropriate destination with giving blanket read access to all files. Having this distinction between files and folders is very important from a security / access perspective. As far as I can tell there is no way to do this, unless perhaps it's missing from the documentation?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,521 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mehtab Siddique (MINDTREE LIMITED) 966 Reputation points
    2022-05-08T14:22:17.917+00:00

    Hi @Steve 4848 , Thanks for reaching out.

    AFAIK,There is no permission like "Folders.ReadWrite.All", for checking who has the access to the file you can check using DriveItem, if you want to raise a feature request for it Feature request

    ----------

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. Hope this helps.

    0 comments
  2. CarlZhao-MSFT 36,736 Reputation points
    2022-05-09T06:32:16.617+00:00

    Hi @Steve 4848

    There are no folder-level permissions, only file-level permissions. I'm not sure if the Files.ReadWrite.All permission you are granting is a delegated permission or an application permission, if you are granting an application permission then as far as I know there is currently no good way to restrict it to a specific file, but you can restrict which Site collections (drives) can be accessed as detailed here: https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/.

    If you are using delegated permissions, then granting Files.ReadWrite is fine from a least privilege security standpoint. The Files.ReadWrite permission also has full access to the user's files and allows the app to read, create, update, and delete the signed-in user's files.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.