Forum Discussion
Azure AD App Registration - Permision request to Read and Write to “All” Site Collections too broad
Beau CameronWe do need application level permissions as these programs need to run in the background. The issue is that when we provide the developer with the app secret it gives them access to way more than they need.
We use a policy of least privileges for security reasons so this really doesn't work for us. I need to allow my developers to access an individual account, not the whole company (CEO included) through a background process.
Jcarpenter Yea unfortunately, that's a risk of Application Permissions. That's why they require Admin approval.
Question, If you've built the application that runs in the background for something. Why are you sharing secrets with other devs? (Wondering what type of application this is)
Beau Cameron Hmm... My several year old thread woke up. :)
The original scenario I was trying to describe is from a Partner perspective, where we are the partner and our customers have their own Office 365/SharePoint tenancy. Our application has background processes that interact with a given (single) Site Collection and thus the need for Application Permissions. We have been using https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs which lets us get tokens only for the single Site Collection where it has been granted, but it certainly does not feel "Modern" we would love to ditch that. From my perspective, even if I were developing internal applications for an "Enterprise" sized company it seams like to risky of a proposition (aka crazy) not have a way to limit the scope that the App Permission has access to. A colleague of mine mentioned maybe it would be possible to apply some kind of conditional access restrictions to the App Registration after it had been granted but this would require Azure AD premium.
From my perspective, the first class solution would be to allow the original App Permission grant to have a way to specify restrictions on which Site Collection(s) the grant applies.
Aaron Cutlip we are playing catch up in the Microsoft Graph team on some questions across communities here. Just FYI that StackOverflow is where we're focusing our attention and don't have resources monitoring these forums.
There is a uservoice for this which i'd encourage you to add your scenarios to and vote up. I'm also happy to chat to you directly on Teams if you wish? https://microsoftgraph.uservoice.com/forums/920506-microsoft-graph-feature-requests/suggestions/34678792-manage-permissions-at-ressource-level-for-sharepoi
JeremyThake I voted up that user voice link. Thanks for providing that, however I am not sure that is clear enough to cover the scenario I am mentioning here. If you do have time for a quick conversation it might help me explain what we are doing and why we chose to do it that way, which in turn helps understand why more granular permissions matter. Shoot me an email. Thanks, -Aaron
Aaron Cutlip ... Thanks for you replying to this thread and updating us. This is security issue and not as much as trusting the developer.
Have you come across a uservoice for this to lock down access to specific sites using the application permissions?
Beau Cameron here is our scenario:
A dev comes to us and needs access to a resource through the Graph API, like checking a mailbox or uploading files to a SharePoint site automatically. I grant their request for application permissions, but now they have access to every mailbox or SharePoint site. It's not that we don't trust our devs, it's an issue of security. If that app secrete gets compromised it can now do way more damage.
