How to restrict App Only permissions to one site
https://sharepoint.stackexchange.com/questions/278356
-
08-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian문제
In an Azure AD app registration under API Permissions I've added Sites.Read.All AppOnly to let my app access SharePoint resources through the Microsoft Graph API.
How do I restrict this permission to apply to just one site collection?
My app only need to access this one site collection and it would be irresponsible to require access to anything else (principle of least privilege), and it is unlikely that any client administrator would allow this.
So I need to restrict the permissions of the app service principal, but where/how do I do that?
EDIT: My app is not a SharePoint Add In. It is a standalone service application that simply access SharePoint through MS Graph. As such there is no AppManifest as nothing is installed in SharePoint (the question is relevant to other Graph resources than SharePoint as well).
Here is how the app is registered: https://docs.microsoft.com/en-us/azure/healthcare-apis/register-service-azure-ad-client-app
해결책 3
Use the Sites.Selected permission (Due release February 2021):
Applications can now use the new "Sites.selected" permission to request access to SharePoint sites. By default an application that requests “Sites.Selected” instead of a tenant wide permission may not access any SharePoint sites. The tenant administrator can grant or revoke an application’s access to individual sites through new endpoints in the Microsoft Graph API.
Source: https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=Sites.selected
다른 팁
This is indeed not possible yet (still not, 7 months after you posted this). Here is proof: https://github.com/SharePoint/sp-dev-docs/issues/5730
Microsoft did however announce they will solve this issue in the near future. This reply from MS to the UserVoice request from October 2020 mentions a new feature called "resource-specific consent" for Teams: https://microsoftgraph.uservoice.com/forums/920506-microsoft-graph-feature-requests/suggestions/37796059-restrict-permissions-to-app-only-azure-ad-applicat
This will then supposedly be similar for SharePoint. Image a Site.Read RSC scope for app-only access which can be consented for by a site-admin. This site-level access is apparently something that is still missing in Graph and currently in beta for Teams apps: https://docs.microsoft.com/en-us/microsoftteams/platform/graph-api/rsc/resource-specific-consent
Looking forward to it..
You may check this - go to the
https://yoursposite.sharepoint.com/sites/SharePointRND/_layouts/15/appinv.aspx
Example:
https://globalsharepoint2019.sharepoint.com/sites/SharePointRND/_layouts/15/appinv.aspx
Add the below XML in the "Permission Request XML" box:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
Note:
- Scope="http://sharepoint/content/sitecollection/" here sitcollection indicates as site collection level scope.
For other permission levels, you may refer the below MSDN article:
