question

Steve-4848 avatar image
0 Votes"
Steve-4848 asked CarlZhao-MSFT edited

Folder Permissions (Without File Permissions)

I have an application that needs to browse a user's folder structure and then write files into that selected folder destination. Currently, I can accomplish this by requiring the "Files.ReadWrite.All" permission. However, from a least privileges security standpoint, it would be ideal if I could request "Folders.ReadWrite.All" and "Files.Write.All". This would allow the application to browse and create folders as well as writing the files to the appropriate destination with giving blanket read access to all files. Having this distinction between files and folders is very important from a security / access perspective. As far as I can tell there is no way to do this, unless perhaps it's missing from the documentation?

microsoft-graph-applicationsmicrosoft-graph-permissionsmicrosoft-graph-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MohammedMehtabSiddiqueMINDTREELIMI-9821 avatar image
0 Votes"
MohammedMehtabSiddiqueMINDTREELIMI-9821 answered

Hi @Steve-4848 , Thanks for reaching out.

AFAIK,There is no permission like "Folders.ReadWrite.All", for checking who has the access to the file you can check using DriveItem, if you want to raise a feature request for it Feature request





If the answer is helpful, please click "Accept Answer" and kindly upvote it. Hope this helps.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CarlZhao-MSFT avatar image
0 Votes"
CarlZhao-MSFT answered CarlZhao-MSFT edited

Hi @Steve-4848

There are no folder-level permissions, only file-level permissions. I'm not sure if the Files.ReadWrite.All permission you are granting is a delegated permission or an application permission, if you are granting an application permission then as far as I know there is currently no good way to restrict it to a specific file, but you can restrict which Site collections (drives) can be accessed as detailed here: https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/.

If you are using delegated permissions, then granting Files.ReadWrite is fine from a least privilege security standpoint. The Files.ReadWrite permission also has full access to the user's files and allows the app to read, create, update, and delete the signed-in user's files.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I would argue that this is not correct from a least privilege security standpoint as it is not necessary to allow file reading (which is likely where any privileged information resides, not in folder names).

1 Vote 1 ·

Hi @Steve-4848

I agree with you! From a least privilege security point of view we should indeed manage access permissions more granularly (like the Folders.ReadWrite.All permission you mentioned). I suggest you submit user voice to add support for this feature, I will vote for you, hope this policy is put on the agenda as soon as possible.


--please don't forget to upvote and Accept as answer if the reply is helpful--

0 Votes 0 ·

Hi @Steve-4848 Would you please provide us with an update on the status of your issue?

0 Votes 0 ·

Well it sounds like its not possible to disambiguate read/write permissions between files and folders but I would highly suggest this feature for security reasons and a least-privileges model.

1 Vote 1 ·