OneDrive API - Restring Folder/File Access

Question

OneDrive API - Restring Folder/File Access

Sri 21

I am working on POC to upload Application/User(not AD users) documents to OneDrive. For that I have created App(App registration) and given Files/User.ReadWrite.All Permission(API Permission) and given Admin Consent. I am able to Upload/Read/Delete document(s). Since i have given User.ReadWrite.All permission, API can read any AD User onedrive account. Could you let me know how to restrict access to a particular folder and do not allow API to manage other users onedrive data.

Regards,
Sri

Accepted answer

1 additional answer

Your answer

Answer 1

Hi @Sri ,

Currently application permissions can be restricted to selected user's OneDrive for Business site or SharePoint Site collection level but not at individual drive or folder or file level. Since User's OneDrive for Business account is also one of the SharePoint sites, so you can levarage Create Site Permision Microsoft Graph API to set the restricted access/permissions on the required user's OneDrive site. With this approach , you can be able to reduce your application permission to "Files.Read.All""Sites.Seleted" instead of the current permissions "Files.ReadWrite.All". This way your application will have better control and restricted access on the user's OneDrive sites.

Fetch SharePoint Site ID of required user's OneDrive based on URL as shown below : GET https://graph.microsoft.com/v1.0/sites/{hostname}:/{server-relative-path}

Exampe : GET https://graph.microsoft.com/v1.0/sites/o365XXXX-my.sharepoint.com:/personal/demouser_o365XXXX_onmicrosoft_com

2.Create Site Permisson on this Site , so that application can only be able to make changes to this user's OneDrive site only. Please note that SharePoint Administratior can be able execute the below Graph API as it needs admin privileges to executed it.

 POST https://graph.microsoft.com/v1.0/sites/{sitesId}/permissions

Example : POST https://graph.microsoft.com/v1.0/sites/o365XXX-my.sharepoint.com,62ff78bb-123d-4b0b-920e-f3caa8fe0ff2,8a0fef8b-d7e5-472a-4565-12c6764f73db/permissions

Sample JSON Request Body :

{  
    "roles": [  
        "write"  
    ],  
    "grantedToIdentities": [  
        {  
            "application": {  
                "id": "a5085d68-1234-56fc-8ee9-60abe5424849",  
                "displayName": "Test App"  
            }  
        }  
    ]  
}

Note : Please mentioned your app id and name in the above request body and here roles can be "write" or "read".

Sources :

https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http
https://learn.microsoft.com/en-us/graph/api/resources/permission?view=graph-rest-1.0
https://learn.microsoft.com/en-us/graph/api/site-get?view=graph-rest-1.0&tabs=http
https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/

If the answer is helpful, please click "Accept Answer" and kindly upvote it ,so that it will be helpful to the other community users. If you have any further questions about this answer, please click "Comment".

JanardhanaVedham-MSFT 3,566 Reputation points

2022-01-19T17:09:39.443+00:00

Hi @Sri ,

I hope you are reviewed the above response and please let us know the update.

If the above answer is helpful, please click "Accept Answer" and kindly upvote it ,so that it will be helpful to the other community users. If you have any further questions about this answer, please click "Comment".
Sri 21 Reputation points

2022-01-20T04:15:23.123+00:00

Thank you very much. we will go through the recommendations and let you know . Do you suggest of creating service account(like AD user) and upload files to its own one drive? my requirement is to upload Application files to one-drive(Read/Update/Delete/Share), i can not my one-drive as files belongs to the application. Any help would be appreciated.
JanardhanaVedham-MSFT 3,566 Reputation points

2022-01-20T09:57:26.94+00:00

Hi @Sri ,

Thank you for your reply. Yes, you can setup a service account with a valid O365 license and then manage all your application files in that OneDrive (Or) you can also consider the option of creating a SharePoint Online Site collection to manage (Read/Update/Delete/Share) your application files.

If the above provided answer is helpful to you, please click "Accept Answer" and kindly upvote it, so that it will be useful for other community users. If you have any further questions, please click "Comment".
JanardhanaVedham-MSFT 3,566 Reputation points

2022-01-21T08:31:46.087+00:00

Hi @Sri ,

Can you please provide an update on this?.

If the above provided answer is helpful to you, please click "Accept Answer" and kindly upvote it, so that it will be useful for other community users. If you have any further questions, please click "Comment".

Answer 2

Vasil Michev 119.5K MVP Volunteer Moderator

Generally speaking the Graph API uses an "all or nothing" approach. That said, Microsoft is working on some methods to restrict this, such as the one outlined here: https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/
Even though the article doesn't explicitly mention OneDrive, you can use it therein (assuming you mean OneDrive for Business).

Share via

OneDrive API - Restring Folder/File Access

1 additional answer

Your answer