Forum Discussion
restrict external services using assigned\delegated api permissions to single files
I have an ongoing issue where my customers want to use external services to perform tasks, but those services require access to SharePoint. Of course the complete security non minded service providers say they need sites.readwrite.all permissions. I'm not going to give them access to read and write every single one of my internal SharePoint sites when they only need access to one file.
Ridiculous in this day and age with so many data breaches happening.
Now i have used the sites.selected to some success to limit this but it's still all the site. How can I get this down to file or folder level within a site?
Has to be something we can do.
1 Reply
Try this:
1. Register the app in Azure AD and request the Sites.Selected or *.SelectedOperations.Selected scope.
2. Grant admin consent for the scope.
3. Assign permissions to specific objects using Microsoft Graph:
o Use the /sites/{site-id}/permissions endpoint to grant the app access.
o You can now target lists, list items, folders, or files instead of just the site.
4. Operations are limited to what you assign. If you only grant read on one file, the app cannot read anything else in the site.
