My company is integrating our on-premise application with file storage features on our clients' O365 accounts. The goal is to allow our application to interact with a specific OneDrive / Sharepoint Drive or Folder (upload/download files, grab metadata on file structure, sharing history, etc.).
We are trying to make it so our application only has access to that specific Drive/Folder, and nothing else. We believe any broader permissions will be a sticking point for our clients, as they will not want to grant broader permissions to a third-party application.
In my testing, the only Graph API permissions that allow me to interact with Shared Libraries are the broad Files.ReadWrite.All
and Sites.ReadWrite.All
. I was thinking that by using Delegated Permissions rather than Application Permissions, I could tie our application's authentication to a single user. Then our clients' IT can limit the access our dedicated O365 user has to everything on their tenant, except the specific Drive or Folder we need access to. Interacting with Shared Libraries also allows us to use a free service account, rather than requiring our clients to add an extra paid license for a dedicated user to host the files.
However, I'm not sure if it's possible to give a user the Files.ReadWrite.All
and Sites.ReadWrite.All
permissions, and also combine that with "Deny Rules" on everything but the target Drive/Folder. In Sharepoint, it only seems possible to grant access to users that don't already have it. I can't find any way to Deny access to a user that already has broad permissions.
I understand that it's weird to give a user Files.ReadWrite.All
and Sites.ReadWrite.All
permissions, and then try to restrict those permissions. But the only alternative seems to be using Files.ReadWrite
and hosting all the files on the dedicated user's personal OneDrive storage.
My main question is: Is there any way to interact with Shared Libraries without giving a user those extremely broad ".All" permissions?
This may be outside of the scope of the question, but I'm also wondering if it's common for companies to grant those types of broad permissions to a third-party application. My assumption is that they would be very opposed to giving a third-party that type of access, but as there's not much granularity in the graph permissions - maybe that's a concession that many companies end up making?