Forum Discussion

Aaron Cutlip's avatar
Aaron Cutlip
Copper Contributor
Jan 19, 2017

Azure AD App Registration - Permision request to Read and Write to “All” Site Collections too broad

When setting up an Azure App Registration for the Microsoft Graph or the SharePoint Online APIs, the only option is to grant read and write to "ALL" site collections either as delegated or app permis...
apis
developer
Beau Cameron's avatar
Beau Cameron
MVP
Jun 19, 2019

If you use Delegated Permissions, the requests to SharePoint only has permission to access resources that the current user has access to... thus not actually giving them full control over all of the site collections.

e.g, You have two site collections. User A only has access to Site Collection 1. User B has access to both.

With delegated permissions, User A will only be able to interact with Site Collection 1. User B will be able to interact with Site Collection B (depending on types of permissions on that Site Collection of course)

Application permissions should only be used for applications that do not require signed-in users like background processes.

  • Jcarpenter's avatar
    Jcarpenter
    Copper Contributor
    Jun 19, 2019

    Beau CameronWe do need application level permissions as these programs need to run in the background. The issue is that when we provide the developer with the app secret it gives them access to way more than they need.

     

    We use a policy of least privileges for security reasons so this really doesn't work for us. I need to allow my developers to access an individual account, not the whole company (CEO included) through a background process.

    • Beau Cameron's avatar
      Beau Cameron
      MVP
      Jun 19, 2019

      Jcarpenter Yea unfortunately, that's a risk of Application Permissions. That's why they require Admin approval.  

      Question, If you've built the application that runs in the background for something.  Why are you sharing secrets with other devs? (Wondering what type of application this is)

      • Aaron Cutlip's avatar
        Aaron Cutlip
        Copper Contributor
        Jun 19, 2019

        Beau Cameron Hmm... My several year old thread woke up. :)

         

        The original scenario I was trying to describe is from a Partner perspective, where we are the partner and our customers have their own Office 365/SharePoint tenancy.   Our application has background processes that interact with a given (single) Site Collection and thus the need for Application Permissions.  We have been using https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs which lets us get tokens only for the single Site Collection where it has been granted, but it certainly does not feel "Modern" we would love to ditch that.   From my perspective, even if I were developing internal applications for an "Enterprise" sized company it seams like to risky of a proposition (aka crazy) not have a way to limit the scope that the App Permission has access to.   A colleague of mine mentioned maybe it would be possible to apply some kind of conditional access restrictions to the App Registration after it had been granted but this would require Azure AD premium.

         

        From my perspective, the first class solution would be to allow the original App Permission grant to have a way to specify restrictions on which Site Collection(s) the grant applies. 

Resources