Share via

Synapse Notebook code to upload data in SharePoint

Priya Jha 896 Reputation points
2025-06-27T10:10:20.65+00:00

In most of the code that I am scanning across to upload file into SharePoint via service principal, sites.readwriteAll application permission is being provided to the app.

But that is the highest privilege that an app would get across all SharePoints and we need to restrict it to a single SharePoint in which the app has been given access to.

 

So can someone share me the synapse notebook code to upload a file into SharePoint via service principal authentication with least minimum privilege

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
5,373 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkat Reddy Navari 2,975 Reputation points Microsoft External Staff Moderator
    2025-06-27T11:38:01.5766667+00:00

    Hi @Priya Jha You can upload to a specific SharePoint site using Microsoft Graph API and application-level permissions, while restricting access through SharePoint site-level permissions.

    Below is how you can do this from a Synapse Spark Notebook (PySpark) using a Service Principal (Client Credentials Flow) and Graph API scoped only to the target SharePoint site.

    Register an Azure AD App and Limit Scope

    • Go to Azure Portal > App Registrations, and register a new app.
    • Under API permissions, you’ll temporarily need Sites.ReadWrite.All (application-level).
    • Here’s the key: although this grants broad access by default, you can restrict the app’s effective access to just one SharePoint site by assigning site-level permissions.

    This way, the app technically has tenant-wide rights, but SharePoint will only honor them for the specific site you've configured.

    You’ll need a SharePoint Admin to create a site-specific permission grant if you don’t have access yourself. More on that here: Restrict SharePoint App Permissions

    Use Synapse Notebook to Upload File

    Here’s sample code using azure-identity and requests to authenticate and upload a file:

    import requests
from azure.identity import ClientSecretCredential

# App credentials
tenant_id = "<your-tenant-id>"
client_id = "<your-client-id>"
client_secret = "<your-client-secret>"

# SharePoint site info
site_domain = "<yourtenant>.sharepoint.com"
site_path = "/sites/<yoursite>"
drive_name = "Documents"  # Change if using a custom library
file_path = "/path/in/synapse/sample.csv"
file_name = "sample.csv"

# Auth
credential = ClientSecretCredential(tenant_id, client_id, client_secret)
token = credential.get_token("https://graph.microsoft.com/.default").token
headers = {"Authorization": f"Bearer {token}"}

# Get site ID
site_resp = requests.get(
    f"https://graph.microsoft.com/v1.0/sites/{site_domain}:{site_path}",
    headers=headers
)
site_id = site_resp.json()["id"]

# Get drive ID (default library)
drive_resp = requests.get(
    f"https://graph.microsoft.com/v1.0/sites/{site_id}/drives",
    headers=headers
)
drive_id = drive_resp.json()["value"][0]["id"]

# Upload the file
with open(file_path, "rb") as f:
    file_bytes = f.read()
upload_resp = requests.put(
    f"https://graph.microsoft.com/v1.0/drives/{drive_id}/root:/{file_name}:/content",
    headers={"Authorization": f"Bearer {token}"},
    data=file_bytes
)
if upload_resp.ok:
    print(" File uploaded successfully!")
else:
    print(f" Upload failed: {upload_resp.status_code} - {upload_resp.text}")

    Hope this helps. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.