![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 68%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,644 questions
Hi @Sri ,
Currently application permissions can be restricted to selected user's OneDrive for Business site or SharePoint Site collection level but not at individual drive or folder or file level. Since User's OneDrive for Business account is also one of the SharePoint sites, so you can levarage Create Site Permision Microsoft Graph API to set the restricted access/permissions on the required user's OneDrive site. With this approach , you can be able to reduce your application permission to "Files.Read.All""Sites.Seleted" instead of the current permissions "Files.ReadWrite.All". This way your application will have better control and restricted access on the user's OneDrive sites.
- Fetch SharePoint Site ID of required user's OneDrive based on URL as shown below : GET https://graph.microsoft.com/v1.0/sites/{hostname}:/{server-relative-path}
Exampe : GET https://graph.microsoft.com/v1.0/sites/o365XXXX-my.sharepoint.com:/personal/demouser_o365XXXX_onmicrosoft_com
2.Create Site Permisson on this Site , so that application can only be able to make changes to this user's OneDrive site only. Please note that SharePoint Administratior can be able execute the below Graph API as it needs admin privileges to executed it.
POST https://graph.microsoft.com/v1.0/sites/{sitesId}/permissions
Sample JSON Request Body :
{
"roles": [
"write"
],
"grantedToIdentities": [
{
"application": {
"id": "a5085d68-1234-56fc-8ee9-60abe5424849",
"displayName": "Test App"
}
}
]
}
Note : Please mentioned your app id and name in the above request body and here roles can be "write" or "read".
Sources :
https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http
https://learn.microsoft.com/en-us/graph/api/resources/permission?view=graph-rest-1.0
https://learn.microsoft.com/en-us/graph/api/site-get?view=graph-rest-1.0&tabs=http
https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/
If the answer is helpful, please click "Accept Answer" and kindly upvote it ,so that it will be helpful to the other community users. If you have any further questions about this answer, please click "Comment".
