Least privilege required to downnload files from SharePoint online document libraries

Question

From my tests, it looks like Sites.Manage.All is required on the Azure application, to use along with GetAzureADAppOnlyAuthenticatedContext() and download files from SharePoint online.

Can you suggest why Sites.Read.All is not enough to download the files. Is there any documentation which explains these permissions in detail?

Answer 1

Hi @Vish Pothaganti ,

Per my test, Sites.Read.All is enough to download files. Could you tell me which method did you use to download files?

Are you using CSOM to download files? If so manipulate files via CSOM( File.OpenBinaryDirect) does not work with app-only.

I would suggest you use rest api and WebClient to download files. Below is my demo for you:

OfficeDevPnP.Core.AuthenticationManager authManager = new OfficeDevPnP.Core.AuthenticationManager();  

ClientContext ctx = authManager.GetAzureADAppOnlyAuthenticatedContext(siteUrl, clientId, tenant, @"C:\michael.pfx", "password");  

var accessToken = ClientContextExtensions.GetAccessToken(ctx);  
    
var downloadUrl = siteUrl + "/_api/web/getfilebyserverrelativeurl('/sites/test/doc1/Document.docx')/$value";  
 WebClient client = new WebClient();  
 client.Headers.Add("Authorization", "Bearer " + accessToken);  
client.DownloadFile(downloadUrl, "C:\\Document.docx");  

---

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

The most restrictive permission is Sites.Selected. See Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph.