Share via

Getting delegated Sites.Selected Microsoft Graph permission to work with BreakRoleInheritance in SharePoint

Elizabeth 0 Reputation points
2024-11-13T21:29:05.91+00:00

We need to limit application API permissions to selected SharePoint sites (delegated) and also be able to use the SecurableObject.BreakRoleInheritance method. I can limit the API permissions for the enterprise application to Microsoft Graph's Sites.Selected (delegated) permission but BreakRoleInheritance then does not function correctly as it does with delegated SharePoint permissions AllSites.FullControl or delegated Microsoft Graph permission Sites.FullControl.All).

It results in Microsoft.SharePoint.Client.ServerUnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))) and I cannot find a suitable replacement. Alternatively there is no delegated Sites.Selected API permission listed for SharePoint.

Are you able to advise what permissions we should use to restrict the application's access to selected SharePoint sites and that will also allow us to use the BreakRoleInheritance method successfully?

Microsoft 365 and Office | SharePoint | Development
Microsoft Security | Microsoft Graph

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. RaytheonXie_MSFT 40,496 Reputation points Microsoft External Staff
    2024-11-14T07:49:06.16+00:00

    Hi @Elizabeth

    You'll need to set Full Control add-in permissions at the Web scope. The site collection scope url should be http://sharepoint/content/sitecollection

    Read this article for more:

    https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs

    https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint

    The xml in your case should be like following

    <AppPermissionRequests AllowAppOnlyPolicy="true">  
   <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" 
    Right="FullControl" />
</AppPermissionRequests>

    This document shows how to break role assignment

    https://learn.microsoft.com/en-us/previous-versions/office/developer/sharepoint-2010/ee535228(v=office.14)

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.