Share via

Clarifying the Scope of Files.ReadWrite.All Permission in Microsoft Graph API for SharePoint Access

Kiran Suryavanshi 5 Reputation points
2024-08-12T03:55:59.2+00:00

Question:

If an Azure Service Principal (SPN) has the Files.ReadWrite.All Microsoft Graph API permission, does it gain access to all files within the tenant, or only to the files to which resource owners have explicitly granted access?

Context:

In our organization, we adhere to the principle of least privilege. The Files.ReadWrite.All permission lacks a clear description of how access is granted. Does this permission merely allow access to the Graph API, with actual file access being controlled by the resource owner? Or does it grant access to all files within the tenant? The closest clarification found is in the Microsoft Graph permissions overview, which states: “Before the Microsoft identity platform can authorize your app to access data in the Microsoft cloud, the app must be granted the privileges that it needs. Similarly, before the Microsoft identity platform can authorize your app to access data through Microsoft Graph, the app must be granted the privileges that it needs.” However, this remains unclear for many of us.

Additionally, I intend to perform automation without a signed-in user by using application roles.

Objective:

To modify a file within a specific folder in SharePoint.

Questions:

  1. Does the Files.ReadWrite.All permission grant access to the resources themselves, or does it only provide the ability to access data via the Graph API, with actual access rights being granted by the resource owner?
  2. What set of permissions is required to modify a file within a specific folder in SharePoint using application roles?
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,310 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 115.8K Reputation points MVP
    2024-08-12T15:47:26.7066667+00:00

    The scope for application permissions is always the full tenant. This is the reason why we have the Sites.Selected scope, and its Files.SelectedOperations.Selected, Lists.SelectedOperations.Selected and ListItems.SelectedOperations.Selected) siblings. You can use those to restrict access to specific items/lists as needed, see: https://www.michev.info/blog/post/6074/granular-permissions-for-working-with-files-list-items-and-lists-added-to-the-graph-api

    If you are using delegate permissions instead, the scope is limited to what the user itself can access.

    1 person found this answer helpful.
  2. Yakun Huang-MSFT 10,555 Reputation points Microsoft External Staff
    2024-08-12T08:19:22.2666667+00:00

    Hi @Kiran Suryavanshi

    1. The Files.ReadWrite.All permission is granted access to the resource itself, and if you grant the app Application Permission Files.ReadWrite.All in your tenant, the app can access All SharePoint Files saved in your tenant.
    2. According to the documentation, if you need to modify Folders or Files in SharePoint using application roles, the minimum permission you need to grant is Files.ReadWrite.All.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.