Permissions for OneDrive API
OneDrive and SharePoint expose a few granular permissions that control the access that apps have to resources. When a user signs in to your app they, or, in some cases, an administrator, are required to consent to these permissions. If consent is given, your app is given access to the resources and APIs that it has requested. For apps that don't take a signed-in user, permissions can be pre-consented to by an administrator when the app is installed or during sign-up.
For more details about the full set of Microsoft Graph permissions, please see Permissions reference for Microsoft Graph.
Files permissions
Delegated permissions
| Permission | Display String | Description | Admin Consent Required |
|---|---|---|---|
| Files.Read | Read user files | Allows the app to read the signed-in user's files. | No |
| Files.Read.All | Read all files that user can access | Allows the app to read all files the signed-in user can access. | No |
| Files.ReadWrite | Have full access to user files | Allows the app to read, create, update, and delete the signed-in user's files. | No |
| Files.ReadWrite.All | Have full access to all files user can access | Allows the app to read, create, update, and delete all files the signed-in user can access. | No |
| Files.ReadWrite.AppFolder | Have full access to the application's folder (preview) | (Preview) Allows the app to read, create, update, and delete files in the application's folder. | No |
| Files.Read.Selected | Read files that the user selects | Limited support in Microsoft Graph - see Remarks (Preview) Allows the app to read files that the user selects. The app has access for several hours after the user selects a file. |
No |
| Files.ReadWrite.Selected | Read and write files that the user selects | Limited support in Microsoft Graph -- see Remarks (Preview) Allows the app to read and write files that the user selects. The app has access for several hours after the user selects a file. |
No |
Application permissions
| Permission | Display String | Description | Admin Consent Required |
|---|---|---|---|
| Files.Read.All | Read files in all site collections | Allows the app to read all files in all site collections without a signed in user. | Yes |
| Files.ReadWrite.All | Read and write files in all site collections | Allows the app to read, create, update, and delete all files in all site collections without a signed in user. | Yes |
Remarks
The Files.Read, Files.ReadWrite, Files.Read.All, and Files.ReadWrite.All delegated permissions are valid on both personal Microsoft accounts and work or school accounts. Note that for personal accounts, Files.Read and Files.ReadWrite also grant access to files shared with the signed-in user.
The Files.Read.Selected and Files.ReadWrite.Selected delegated permissions are only valid on work or school accounts and are only exposed for working with Office 365 file handlers (v1.0). They should not be used for directly calling Microsoft Graph APIs.
The Files.ReadWrite.AppFolder delegated permission is only valid for personal accounts and is used for accessing the App Root special folder with the OneDrive Get special folder Microsoft Graph API.
Example usage
Delegated
- Files.Read : Read files stored in the signed-in user's OneDrive (
GET /me/drive/root/children) - Files.Read.All : Read files shared with the signed-in user (
GET /me/drive/root/sharedWithMe) - Files.ReadWrite : Write a file in the signed-in user's OneDrive (
PUT /me/drive/root/children/filename.txt/content) - Files.ReadWrite.All : Write a file shared with the user (
PUT /users/rgregg@contoso.com/drive/root/children/file.txt/content) - Files.ReadWrite.AppFolder : Write files into the app's folder in OneDrive (
PUT /me/drive/special/approot/children/file.txt/content)
Sites permissions
Delegated permissions
| Permission | Display String | Description | Admin Consent Required |
|---|---|---|---|
| Sites.Read.All | Read items in all site collections | Allows the app to read documents and list items in all site collections on behalf of the signed-in user. | No |
| Sites.ReadWrite.All | Read and write items in all site collections | Allows the app to edit or delete documents and list items in all site collections on behalf of the signed-in user. | No |
| Sites.Manage.All | Create, edit, and delete items and lists in all site collections | Allows the app to manage and create lists, documents, and list items in all site collections on behalf of the signed-in user. | No |
| Sites.FullControl.All | Have full control of all site collections | Allows the app to have full control to SharePoint sites in all site collections on behalf of the signed-in user. | Yes |
Application permissions
| Permission | Display String | Description | Admin Consent Required |
|---|---|---|---|
| Sites.Read.All | Read items in all site collections | Allows the app to read documents and list items in all site collections without a signed in user. | Yes |
| Sites.ReadWrite.All | Read and write items in all site collections | Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user. | Yes |
| Sites.Manage.All | Have full control of all site collections | Allows the app to manage and create lists, documents, and list items in all site collections without a signed-in user. | Yes |
| Sites.FullControl.All | Create, edit, and delete items and lists in all site collections | Allows the app to have full control to SharePoint sites in all site collections without a signed-in user. | Yes |
Remarks
Sites permissions are valid only on work or school accounts.
Example usage
Delegated
- Sites.Read.All : Read the lists on the SharePoint root site (
GET /v1.0/sites/root/lists) - Sites.ReadWrite.All : Create new list items in a SharePoint list (
POST /v1.0/sites/root/lists/123/items) - Sites.Manage.All : Add a new list to a SharePoint site (
POST /v1.0/sites/root/lists) - Sites.FullControl.All : Complete access to SharePoint sites and lists.