Getting delegated Sites.Selected Microsoft Graph permission to work with BreakRoleInheritance in SharePoint

Elizabeth 0 Reputation points
2024-11-13T21:29:05.91+00:00

We need to limit application API permissions to selected SharePoint sites (delegated) and also be able to use the SecurableObject.BreakRoleInheritance method. I can limit the API permissions for the enterprise application to Microsoft Graph's Sites.Selected (delegated) permission but BreakRoleInheritance then does not function correctly as it does with delegated SharePoint permissions AllSites.FullControl or delegated Microsoft Graph permission Sites.FullControl.All).

It results in Microsoft.SharePoint.Client.ServerUnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))) and I cannot find a suitable replacement. Alternatively there is no delegated Sites.Selected API permission listed for SharePoint.

Are you able to advise what permissions we should use to restrict the application's access to selected SharePoint sites and that will also allow us to use the BreakRoleInheritance method successfully?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,581 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
3,135 questions
{count} votes

1 answer

Sort by: Most helpful
  1. RaytheonXie_MSFT 36,821 Reputation points Microsoft Vendor
    2024-11-14T07:49:06.16+00:00

    Hi @Elizabeth

    You'll need to set Full Control add-in permissions at the Web scope. The site collection scope url should be http://sharepoint/content/sitecollection

    Read this article for more:

    https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs

    https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint

    The xml in your case should be like following

    <AppPermissionRequests AllowAppOnlyPolicy="true">  
       <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" 
        Right="FullControl" />
    </AppPermissionRequests>
    

    This document shows how to break role assignment

    https://learn.microsoft.com/en-us/previous-versions/office/developer/sharepoint-2010/ee535228(v=office.14)


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.