Graph API - Delegated permissions for Sites.Selected

mmeuleman 6 Reputation points
2023-01-07T11:40:16.18+00:00

I am familiar with the Sites.Selected application permissions, but I don't think it fits my usecase.

I have an app on which I want to be able to impersonate users in a tenant, using the necessary delegated permissions works great for this.
However, I would like to restrict the app access to specific sites, as some sites that a logged in user has access to might have confidential information. Is there a way to do this currently?
I would imagine that delegated Sites.Selected permissions would be the way, but from what I could find in the two blog posts (controlling-app-access-on-specific-sharepoint-site-collections and updates-on-controlling-app-specific-access-on-specific-sharepoint-sites-sites-selected), this is not (yet?) possible.

So, are there concrete plans to support this? If so, when is this planned?
And for the time being, would there be another solution to this problem? It could be my approach is just wrong, so any ideas are welcome.

Thanks!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
570 questions
Microsoft Graph Site Lists API
Microsoft Graph Site Lists API
A Microsoft API that "supports access to SharePoint sites, lists, and drives; read-only support for site resources; read-write support for lists, listItems, and driveItems; and address resources by SharePoint ID, URL, or relative path.
262 questions
No comments
1 vote

2 answers

Sort by: Most helpful
  1. Nicolas Roche 401 Reputation points
    2023-01-07T13:39:46.957+00:00

    Hello,

    I found this, i think is answer to your questions.
    https://techwizard.cloud/2022/03/20/sharepoint-and-graph-api-app-only-permissions-for-selected-sites/

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    No comments

  2. Andy David - MVP 109.3K Reputation points Microsoft MVP
    2023-01-07T20:59:31.82+00:00

    If the logged on user already has rights to the sites, then limiting the sites they can access authenticating through the Azure App wont do any good since they can get to them anyway outside of the app.
    The Sites.Selected. permission is designed for application access , not for a delegated user.
    In this case, I would recommend you remove the permissions from any site this user should not have access to.