Graph API - Restrict OneDrive/Sharepoint Access when using "Files.ReadWrite.All" and "Sites.ReadWrite.all" Permissions

Question

My company is integrating our on-premise application with file storage features on our clients' O365 accounts. The goal is to allow our application to interact with a specific OneDrive / Sharepoint Drive or Folder (upload/download files, grab metadata on file structure, sharing history, etc.).

We are trying to make it so our application only has access to that specific Drive/Folder, and nothing else. We believe any broader permissions will be a sticking point for our clients, as they will not want to grant broader permissions to a third-party application.

In my testing, the only Graph API permissions that allow me to interact with Shared Libraries are the broad Files.ReadWrite.All and Sites.ReadWrite.All. I was thinking that by using Delegated Permissions rather than Application Permissions, I could tie our application's authentication to a single user. Then our clients' IT can limit the access our dedicated O365 user has to everything on their tenant, except the specific Drive or Folder we need access to. Interacting with Shared Libraries also allows us to use a free service account, rather than requiring our clients to add an extra paid license for a dedicated user to host the files.

However, I'm not sure if it's possible to give a user the Files.ReadWrite.All and Sites.ReadWrite.All permissions, and also combine that with "Deny Rules" on everything but the target Drive/Folder. In Sharepoint, it only seems possible to grant access to users that don't already have it. I can't find any way to Deny access to a user that already has broad permissions.

I understand that it's weird to give a user Files.ReadWrite.All and Sites.ReadWrite.All permissions, and then try to restrict those permissions. But the only alternative seems to be using Files.ReadWrite and hosting all the files on the dedicated user's personal OneDrive storage.

My main question is: Is there any way to interact with Shared Libraries without giving a user those extremely broad ".All" permissions?

This may be outside of the scope of the question, but I'm also wondering if it's common for companies to grant those types of broad permissions to a third-party application. My assumption is that they would be very opposed to giving a third-party that type of access, but as there's not much granularity in the graph permissions - maybe that's a concession that many companies end up making?

Answer 1

Hi @Stephane Fagnan

In the application context, you can use the Sites.Selected application permission to restrict access to specific site collection. See: https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/

In the user context, you can of course use delegated permissions to restrict access to only specific users, but you cannot restrict that access to only specific folders.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hello @Stephane Fagnan

Thanks for reaching out!

As per my investigation, you cannot restrict your app to access specific files only, but you can restrict which Site collections (drives) can be accessed as detailed here:
https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/

Using the granular permissions, you can restrict access to specific known site collections rather than all site collections. Choosing Sites.Selected permission for your application instead of one of the other permissions will, by default, result in your application not having access to any SharePoint site collections.

References:
https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/
https://devblogs.microsoft.com/microsoft365dev/updates-on-controlling-app-specific-access-on-specific-sharepoint-sites-sites-selected/

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.

Answer 3

Hi @Stephane Fagnan
Microsoft have released Sites.Selected permissions for both Microsoft Graph & SharePoint which can be given to an Azure AD App (App Registration). When created the app by default with Sites.Selected permissions does not have access to any SharePoint sites and has to be explicitly added added using Microsoft Graph or PnP PowerShell (Grant-PnPAzureADAppSitePermission) to the site(s) to be administered. Using Sites.Selected along with the Sites permissions endpoint in Microsoft Graph allows you to set the specific site collections and access level you want to grant to individual applications. You can refer to the following article for details
https://devblogs.microsoft.com/microsoft365dev/updates-on-controlling-app-specific-access-on-specific-sharepoint-sites-sites-selected/

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

---