Microsoft Graph API for SharePoint Online App Registration

Question

I have some confusion after reading Microsoft Docs for App registration for Microsoft Graph API. I will explain you my tenant structure

We have

• E5 Account
• Tenant is conditional MFA enable. That means when user access SharePoint Online inside the companies network then it will not ask for MFA, it will ask only username and password but if it is access outside from companies network then it will ask for Mobile App Code

We are using SharePoint Online as our Intranet Portal. Now companies requirement is to make mobile application in native language of iOS and Android. There are some section on the mobile application certain people can add/delete records.

So please somebody can guide me for configuring Microsoft Graph API user can access/add/delete record as per their permission on SharePoint Online.

I am succeed in configuring Microsoft Graph API where my application generate access token, but confusion is that I have given permission to Graph API Site.Read.All but how can I delegate permission which he have on SharePoint Online. For example if user have read and not add permission than it should take only read through Graph API.

Hope I could explain my question

Answer 1

OK, I found the answer we should register Graph API in delegated permissions

For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user may be determined by policy or by membership in one or more administrator roles. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

For example, assume your app has been granted the User.ReadWrite.All delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is a global administrator, your app will be able to update the profile of every user in the organization. However, if the signed-in user is not in an administrator role, your app will be able to update only the profile of the signed-in user. It will not be able to update the profiles of other users in the organization because the user that it has permission to act on behalf of does not have those privileges

Official reference website https://docs.microsoft.com/en-us/graph/permissions-reference

Answer 2

There are two types of permissions OAuth "world" (and in Office 365\Graph as well).

The first one is permissions of your application. This is a set of permissions you select upon App Registration and can change in Azure portal.

The second one is user permissions.

How do they correlate to each other?

It depends on a type of authentication flow you use.

For client credentials flow only app permissions are used. This type of auth flow usually involves only ClientId and ClientSecret and doesn't require user interaction at all. It's useful and usually used for daemon services, scheduled processes etc (where there is no user). In the Azure portal, these type of permissions called Application permissions.

For authorization code flow endpoint (MS Graph in your case) will analyze effective permissions of your application (you setup permissions in the Azure portal) and your user. For example, if your app has "Write" permissions to SharePoint, but your user only read, an http request will fail with Forbidden response. Because effective permissions will be Read (lowest possible between your app and a user). In the Azure portal, these type of permissions called Delegated permissions

Which type of authentication you app uses? I don't have experience with Android development, but based on this article and other samples it uses authorization code flow. Which means that all your http requests to MS Grpah (or whatever other endpoints) will be subject to effective permissions between a user, who initiated this call and your app.