Forum Discussion
What access does "Read items in all site collections" really give?
Most app permissions specify that they only grant access to what the signed in user already has. I don't want any app to be able to read all items in all site collections, but I doubt that this is wh...
If you are using the delegate permissions model, the *effective* permissions are cross-section of the API permissions and the user ones, meaning the app will only be able to access what the user can. If using the application permission model, you get unrestricted access to each and every SC. A method to restrict this is now in preview: https://www.michev.info/Blog/Post/3256/limiting-access-to-sharepoint-online-resources-via-the-graph-api
How do I know which model I am using, delegate or application permissions?
- If you are providing a username and password, you're using the delegate permissions model. If you are providing a client secret or certificate, it's the applicaiton permissions model.