Graph API delegation issue

Giridharan Sriram 1 Reputation point
2021-06-30T08:17:52.757+00:00

We are having issue in the Graph API delegation.

In aplication level- Graph API access used whch has ability to read all site collection document at tenant level
But here the user who does not have access to the site collection will be able to read or retrieve the confidential documents when they use GRAPH API

Delegation Level- When we try with Files.read.all, documents are getting downloaded from the site collection even who does have access to the library.

Is there any alternative way to overcome this?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,506 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. MichaelHan-MSFT 18,016 Reputation points
    2021-07-01T07:52:46.907+00:00

    Hi @Giridharan Sriram ,

    For application permission, the effective permissions of your app will be the full level of privileges implied by the permission. As long as the app has permission, the user would have permission no matter if he has the permission or not.

    For delegated permissions, the effective permissions of your app will be the intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. So it needs both the user and app has permission to the file. If one of them doesn't have permission, the user would not have access.

    For graph api delegated and application permissions, the details are in this article: https://learn.microsoft.com/en-us/graph/auth/auth-concepts#microsoft-graph-permissions.

    110839-image.png

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments