Forum Discussion
Azure AD App Registration - Permision request to Read and Write to “All” Site Collections too broad
When setting up an Azure App Registration for the Microsoft Graph or the SharePoint Online APIs, the only option is to grant read and write to "ALL" site collections either as delegated or app permissions.
As an ISV creating an multi-tenant application, it raises a red flag for our customer's tenant administrator granting this kind of access when we really only need access to a specific site collection. Obviously with the SharePoint Add-in (Azure ACS) model the app manifest allowed granting permission at the site level, but in our case we want to take advantage of the Graph API, Power BI, and others backed by Azure App Registration.
I can certainly log granular site collection permissions as a request on UserVoice, but I thought I would check here in case there is some manifest or querystring magic that can be done to achieve this?
14 Replies
Any update on this? anyone found a workaround?
If you use Delegated Permissions, the requests to SharePoint only has permission to access resources that the current user has access to... thus not actually giving them full control over all of the site collections.
e.g, You have two site collections. User A only has access to Site Collection 1. User B has access to both.
With delegated permissions, User A will only be able to interact with Site Collection 1. User B will be able to interact with Site Collection B (depending on types of permissions on that Site Collection of course)
Application permissions should only be used for applications that do not require signed-in users like background processes.Beau CameronWe do need application level permissions as these programs need to run in the background. The issue is that when we provide the developer with the app secret it gives them access to way more than they need.
We use a policy of least privileges for security reasons so this really doesn't work for us. I need to allow my developers to access an individual account, not the whole company (CEO included) through a background process.
Jcarpenter Yea unfortunately, that's a risk of Application Permissions. That's why they require Admin approval.
Question, If you've built the application that runs in the background for something. Why are you sharing secrets with other devs? (Wondering what type of application this is)
- Any new information on this? I'm now struggling with the same thing in my Enterprise. Does Microsoft plan on increasing granularity at all?
Yeah Aaron Cutlip have you been able to find a work around? We are struggling with the same issue.
- Just checking my post here... still no answer?
Aaron Cutlip just curious how you handled this.
Did you use Graph api / SharePoint Online api? Or did you end up using Add-in model?
Graph API is the new way to go but like you said it raises a lot of red flags when you have to grant Read Write to all site collections even for internal apps built by in house developers.
It has been more than an year since you posted and I don't see any responses which kinda makes me think that granular permissions is not coming anytime soon.
