Forum Discussion

Jeroen Niesen's avatar
Jeroen Niesen
Copper Contributor
May 15, 2018
Solved

Authentication issues

Hi,   I am currently testing some features of the Graph to incorporate in an application that we plan to develop. When I use the authentication example (https://techcommunity.microsoft.com/t5/Using...
  • Jason_Wescott's avatar
    Jason_Wescott
    Sep 04, 2018

    Peter,

     

    One approach would be to request Delegated permissions for Graph SharePoint API calls and App Only permissions for Graph Security API calls. Your application would essentially be acting as a service when it retrieves security alerts, and using the user account your created when writing those alerts to the SharePoint list.

    Without knowing how your application is invoked I don't know if this option is feasible for you. It doesn't sound like the app is an interactive app since you've created a user which sounds like it's acting like a service account and reading and writing alerts. App Only seems like a viable option. Just make sure if the application is interactive, that it doesn't let regular users view security alerts when they otherwise wouldn't be able to.

Peter Dam van's avatar
Peter Dam van
Copper Contributor
Aug 31, 2018
Hi Jason, this totally helped me!

Quick question: my goal is to let an external (PHP based) website add/modify SharePoint Online List items. It works now, but I'm concerned about assigning the directory role.

Scenario:

I've created a new user to AAD that only has read/write permissions to the desired SharePoint List. Then, I've registered a new App in the App Registration Portal under this user, with DELEGATED permissions on Sites.ReadWrite.All. Since the user associated with this app only has R/W permissions on this one SharePoint List - we're safe.

But without assigning the mentioned AAD role, we keep getting the "Either scp or roles claim need to be present in the token" AccessDenied message. When we assign the Security Reader role, everything works fine.

But now I get the feeling that this particular app has way more permissions than it actually needs.

Any thoughts?

Thanks in advance!
Jason_Wescott's avatar
Jason_Wescott
Former Employee
Sep 04, 2018

Peter,

 

One approach would be to request Delegated permissions for Graph SharePoint API calls and App Only permissions for Graph Security API calls. Your application would essentially be acting as a service when it retrieves security alerts, and using the user account your created when writing those alerts to the SharePoint list.

Without knowing how your application is invoked I don't know if this option is feasible for you. It doesn't sound like the app is an interactive app since you've created a user which sounds like it's acting like a service account and reading and writing alerts. App Only seems like a viable option. Just make sure if the application is interactive, that it doesn't let regular users view security alerts when they otherwise wouldn't be able to.

Resources