OneDrive API - Restring Folder/File Access

Sri 21 Reputation points
2022-01-18T02:31:27.047+00:00

I am working on POC to upload Application/User(not AD users) documents to OneDrive. For that I have created App(App registration) and given Files/User.ReadWrite.All Permission(API Permission) and given Admin Consent. I am able to Upload/Read/Delete document(s). Since i have given User.ReadWrite.All permission, API can read any AD User onedrive account. Could you let me know how to restrict access to a particular folder and do not allow API to manage other users onedrive data.

Regards,
Sri

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,456 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
2,645 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,304 questions
0 comments No comments
{count} votes

Accepted answer
  1. JanardhanaVedham-MSFT 3,536 Reputation points
    2022-01-18T14:22:58.623+00:00

    Hi @Sri ,

    Currently application permissions can be restricted to selected user's OneDrive for Business site or SharePoint Site collection level but not at individual drive or folder or file level. Since User's OneDrive for Business account is also one of the SharePoint sites, so you can levarage Create Site Permision Microsoft Graph API to set the restricted access/permissions on the required user's OneDrive site. With this approach , you can be able to reduce your application permission to "Files.Read.All""Sites.Seleted" instead of the current permissions "Files.ReadWrite.All". This way your application will have better control and restricted access on the user's OneDrive sites.

    1. Fetch SharePoint Site ID of required user's OneDrive based on URL as shown below : GET https://graph.microsoft.com/v1.0/sites/{hostname}:/{server-relative-path}

    Exampe : GET https://graph.microsoft.com/v1.0/sites/o365XXXX-my.sharepoint.com:/personal/demouser_o365XXXX_onmicrosoft_com

    166009-image.png

    2.Create Site Permisson on this Site , so that application can only be able to make changes to this user's OneDrive site only. Please note that SharePoint Administratior can be able execute the below Graph API as it needs admin privileges to executed it.

     POST https://graph.microsoft.com/v1.0/sites/{sitesId}/permissions  
    

    Example : POST https://graph.microsoft.com/v1.0/sites/o365XXX-my.sharepoint.com,62ff78bb-123d-4b0b-920e-f3caa8fe0ff2,8a0fef8b-d7e5-472a-4565-12c6764f73db/permissions

    Sample JSON Request Body :

    {  
        "roles": [  
            "write"  
        ],  
        "grantedToIdentities": [  
            {  
                "application": {  
                    "id": "a5085d68-1234-56fc-8ee9-60abe5424849",  
                    "displayName": "Test App"  
                }  
            }  
        ]  
    }  
    

    165979-image.png

    Note : Please mentioned your app id and name in the above request body and here roles can be "write" or "read".

    Sources :

    https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http
    https://learn.microsoft.com/en-us/graph/api/resources/permission?view=graph-rest-1.0
    https://learn.microsoft.com/en-us/graph/api/site-get?view=graph-rest-1.0&tabs=http
    https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/

    If the answer is helpful, please click "Accept Answer" and kindly upvote it ,so that it will be helpful to the other community users. If you have any further questions about this answer, please click "Comment".

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Vasil Michev 94,206 Reputation points MVP
    2022-01-18T06:58:38.933+00:00

    Generally speaking the Graph API uses an "all or nothing" approach. That said, Microsoft is working on some methods to restrict this, such as the one outlined here: https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/
    Even though the article doesn't explicitly mention OneDrive, you can use it therein (assuming you mean OneDrive for Business).

    0 comments No comments