Share via

How to use Graph API to upload files to Sharepoint

Bob Pants 261 Reputation points
2024-08-27T01:41:43.7866667+00:00

I have created an Azure application registration for Graph API access to a certain Teams site so files can be uploaded by API. I have given it Sites.Selected permission (with admin consent) and then used Graph Explorer to set write permission to the relevant Sharepoint Site.

The dev is telling me he's getting 403 access error now

I raised a support case with MS, but the advice they are giving me doesn't seem right. They said two things,

  1. "sites.selected" permission isn't supported with this API which doesn't sound right, as I have a number of other apps being used for similar purposes with the same permission and they work ok.
  2. That the app reg needs Files.Readwrite.All or Sites.Readwrite.all quoting this article. https://urldefense.com/v3/https://learn.microsoft.com/en-us/graph/api/driveitem-put-content?view=graph-rest-1.0&tabs=http;!!L7AK7Ig!NTdRAGeHSgnopPCU5RoimfEguc5XLsdr8kNVHm6hI62sK-mp1Qad9DXJX08CAnx_vIKl39zp1QISNMMv-7Dg$

My concern is, I do not want to give this dev access to ALL Sharepoint content, surely there must be a way to limit this permission to only a specific site, if so, how?

The dev is using Java script with REST API AFAIK.

Further, is there an easy way I can test this? note, I am an admin not a dev, I don't know how to use these API's in this way myself. Is there any PS script I can use to test this?

Microsoft 365 and Office | SharePoint | Development
Microsoft Security | Microsoft Graph
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Emily Du-MSFT 51,836 Reputation points Microsoft External Staff
    2024-08-27T09:30:34.12+00:00

    You need both Sites.Selected and Sites.ReadWrite.All to write data for a site collection.

    Sites.Selected is an endpoint which administrator can grant Read, Write, or Read and Write permissions to an application for a site collection.

    So, first develop aplication with Sites.Selected permission, then use Sites.Selected endpoint to grant ReadWrite permissions to an application for a site collection.

    References:

    https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/develop-applications-that-use-sites-selected-permissions-for-spo/ba-p/3790476

    https://devblogs.microsoft.com/microsoft365dev/sharepoint-now-supports-delegated-sites-selected-authentication/

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Hitesh Pachipulusu - MSFT 3,620 Reputation points Microsoft External Staff
    2024-08-27T12:31:56.4966667+00:00

    Hello Bob Pants,

    Greetings from Microsoft Support!

    You need to set up two app registrations. The first application will be granted the Sites.FullControl.All permission, while the second application will have the Sites.Selected permission.

    With the first application, you can make a POST request to "https://graph.microsoft.com/v1.0/sites/xxxxxxx/permissions" including the details of the second application in the request body. These operations can be executed in Postman or via PowerShell.

    Subsequently, you will be able to upload files to SharePoint using the second application.

    Please refer to below documentations.

    https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/

    https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/develop-applications-that-use-sites-selected-permissions-for-spo/ba-p/3790476

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.