Security
Summary
SharePoint supports security for user access at the website, list, list or library folder, and item levels. Security management is role-based at all levels, providing coherent security management across the SharePoint platform with a consistent role-based user interface and object model for assigning permissions on objects. As a result, list-level, folder-level, or item-level security implements the same user model as website-level security, making it easier to manage user rights and group rights throughout a website. SharePoint also supports unique permissions on the folders and items contained within lists and document libraries.
Authorization refers to the process by which SharePoint provides security for websites, lists, folders, or items by determining which users can perform specific actions on a given object. The authorization process assumes that the user has already been authenticated, which refers to the process by which SharePoint identifies the current user. SharePoint does not implement its own system for authentication or identity management, but instead relies on external systems, whether Windows authentication or non-Windows authentication.
General information
Applies to: Office 365 | SharePoint Server
Related resources
Articles
- Authentication, authorization, and security in SharePoint
- Authorization and authentication of SharePoint Add-ins
- Three authorization systems for SharePoint Add-ins
- Add-in permissions in SharePoint
- Cross-domain images in SharePoint provider-hosted add-ins
- Set external sharing on site collections in Office 365
- Alternative model for web app policies in SharePoint Online
- Add a Security Trim snippet in SharePoint
- SharePoint Framework (SPFx) enterprise guidance
- Secure data access and client object models for SharePoint Add-ins
- Important aspects of the SharePoint Add-in architecture and development landscape
- Authorize provider-hosted add-in users at run time by using OAuth
- Build mobile apps for other platforms using SharePoint
- Moving Full Trust Code to the Cloud
- A Series of Visual Studio Solutions to Accompany the MSDN Tutorial Series about Provider-hosted Add-ins
Videos
- PnP Shorts - Implementing Web Application Policy alternatives in SharePoint Online
- PnP Webcast - Calling external APIs securely from SharePoint Framework
- PnP Webcast - Azure AD implicit flow with SPFx client-side web part with developer preview
Samples
- Dynamically request permissions for an add-in
- PnP-IdentityModel
- Azure Active Directory implicit flow authentication samples
- An ASP.NET Core implementation of the TokenHelper and SharePointContext classes for use in SharePoint Apps (AspNetCore.Authentication)
- Office 365 Python Flask App Authentication (Python.Office365.AppAuthentication)
- Access SharePoint data with the Cross Domain JavaScript Library
- Access SharePoint data with the Cross Domain JavaScript Library and the REST\OData endpoints
App-only access to SharePoint
Applies to: Office 365 | SharePoint Server
Articles
- Add-in authorization policy types in SharePoint
- Accessing SharePoint using an application context, also known as app-only
- How to provide add-in app only tenant administrative permissions in SharePoint Online
- App-only and elevated privileges in the SharePoint Add-in model
- Developing using Tenant permissions with App-Only in SharePoint Online
- Getting Started with azure WebJobs ("timer jobs") for your Office 365 Sites
Samples
Elevating privileges
Applies to: Office 365 | SharePoint Server
If your solution allows users to perform actions for which they don't have adequate individual permissions, it needs to elevate user's privileges to complete that operation. Different methods are used to elevate privileges in SharePoint Add-ins and farm solutions. Farm solutions elevate privileges by using RunWithElevatedPrivileges(SPSecurity.CodeToRunElevated), which belongs to the SharePoint server-side object model. SharePoint Add-ins use either the app-only policy or service accounts.
Articles
- Elevated privileges in SharePoint Add-ins
- Add-in authorization policy types in SharePoint
- App-only and elevated privileges in the SharePoint Add-in model
Azure AD Authentication/Authorization
Applies to: Office 365
When using SharePoint Online you can define applications in Azure AD and these applications can be granted permissions to SharePoint, but also to all the other services in Office 365. This model is the preferred model in case you’re using SharePoint Online, if you’re using SharePoint on-premises you have to use the SharePoint Only model via based Azure ACS.
Articles
Videos
Samples
- PowerShell to enable low trust authentication model at on-premises
- SharePoint Web Hooks Azure AD reference implementation
Authorization considerations for tenants hosted in Germany, China or US
Applies to: Office 365
When your Office 365 tenant is hosted in an specific environment like the Germany, China or US Government environments there are some additional considerations that you have to take into account.
Articles
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for