Limiting application permissions to specific users' OneDrives

Tom Magyar 1 Reputation point

I need

  • Sites.Read.All
  • Files.Read.All

privileges with admin consent for my application (running as a scheduled background service) to be able to access (read) files stored on SharePoint and OneDrive

The application works perfectly (with the latest MsGraph API), but in production running at a larger organization, we'd like to limit it's privileges scope to only access certain users' SharePoint and OneDrive storages, similarly to limiting access

  • to specific mailboxes as described here
  • or to specific SharePoint Sites as described here

How can it be configured?

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
23,973 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Sheena-MSFT 1,706 Reputation points

    Hi @Tom Magyar ,

    Please refer to this related post.

    Hope this helps.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have further questions about this answer, please click "Comment".

  2. Zehui Yao_MSFT 3,431 Reputation points Microsoft Employee

    Hi @Tom Magyar Since Graph does not specify any functions that can be accessed by special users, I think the only thing that can be done is to set it on the sharepoint or onedrive side. The following are the relevant setting reference documents I found, I hope this can help you.

    Limit OneDrive access by security group:
    Block access to SharePoint for specific users:

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.