Sites.Selected - accessDenied when uploading files

Question

We would like to use Sites.Selected permissions instead of Files.ReadWrite.All or Sites.ReadWrite.All.
Unfortunately using only Sites.Selected ends up with accessDenied when uploading a file.

var uploadSession = graphClient
    .Drives[MyDriveId]
    .Root
    .ItemWithPath(fileName)
    .CreateUploadSession()
    .Request()
    .PostAsync()
    .Result;

using (var memoryStream = new MemoryStream(fileContent))
{
    var provider = new ChunkedUploadProvider(uploadSession, graphClient, memoryStream, OneDriveHelper.MaxChunkSize);
    var driveItem = provider.UploadAsync().Result;
    fileId = driveItem?.Id;
}

The result is:

ServiceException: Code: accessDenied,
Message: Access denied

We made sure that:

• A token is refreshed,
• We have tested either ChunkedUploadProvider and LargeFileUploadTask
• We have tested other versions of Graph API SDK for C# .NET Framework (not .NET Core).
• Our application has Sites.Selected permissions at application scope consented by the ADMIN,
• Our application is registered to have access at target site collection with permission role "WRITE" POST https://graph.microsoft.com/v1.0/sites/\<SITE_COLLECTION_ID>/permissions

  {
      "roles": [
          "write"
      ],
      "grantedToIdentities": [
          {
              "application": {
                  "id": "APPLICATION_ID",
                  "displayName": "MY_APPLICATION"
              }
          }
      ]
  }
  

We have tested Sites.ReadWrite.All - it allows to upload files. Also Files.ReadWrite.All - allows to upload files.

Our goal is:

• To find a solution that allows our application to manage files and shared links.
• To limit access, so if application credentials are exposed, there is no possibility to access any other resources than granted to our application.

Hope that this is a simple BUG rather than FEATURE.

Answer 1

Hi @MichaelHan-MSFT ,

unfortunately this is not a satisfying solution. If you add Files.ReadWrite.All there is no need for Sites.Selected.
Files.ReadWrite.All allows you to list sites and access to all files.

Using Files.ReadWrite.All may be a security risk, because it also allows you to find site by it's URL and access to all files.
A perfect solution here is to use Sites.Selected to allow upload large files.

Answer 2

Hi @Krzysztof Rosół ,

Per my test, I could reproduce your issue on my end. With Sites.Selected permissions, when uploading large files (>4mb) using method ChunkedUploadProvider or LargeFileUploadTask, we would get the accessDenied error.

However we could upload small files successfully using PutAsync<DriveItem> request:

                  using (Stream stream = new MemoryStream(fileContent))  
                    {  
                        var item = await graphClient.Sites[siteID].Drive.Items[itemID]  
                                .ItemWithPath(fileName)  
                                .Content  
                                .Request()  
                                .PutAsync<DriveItem>(stream);  
                    }  

Seems like it's a bug for uploading large files.

---

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

I am experiencing the same behavior, and can replicate it as well. When I first started testing my application with the "Sites.Selected" permissions, it showed as (Preview) in Azure App Registration where permissions are defined and granted. The "(Preview)" part is not there anymore.

Does anyone know if the "Sites.Selected" option is still considered to be in "Preview" or has it been fully released?

Hopefully it is a bug that can be fixed pretty quickly.