Scenario and Result
My app has been given read/write permissions to a customer's Site. My app can read and write items in the selected site's default document library, which is as expected.
But it excludes the ability to read and create lists for the selected site; reading and creating lists should be included.
Technology
- Graph Explorer
- msgraph-sdk-dotnet (Microsoft.Graph.Core version: 1.24.0.0)
Reproducible steps
- Register an app in Azure AD with "Sites.Selected" Graph API applications, not delegated, permissions. Ensure the UX app, which is integrated with msgraph-sdk-dotnet, successfully gets access token to this AD app.
- Use UX app to get customer's tenant ID to accept this AD app and its permissions (which is the required User.Read, and added Sites.Selected).
- Sign in on Graph Explorer under customer's tenant to grant read/write permissions to this AD app. e.g. POST https://graph.microsoft.com/v1.0/sites/<site-id>/permissions
{
"roles": [
"write"
],
"grantedToIdentities": [
{
"application": {
"id": "<AD app id>",
"displayName": "Jenny limited permissions"
}
}
]
}
4. Use the UX app to confirm it has access to the selected site, e.g. Site object returned successfully from
await graphServiceClient.Sites[siteId].Request().GetAsync()
5. Use the UX app to confirm it can write items to selected site's default document library by ensuring the operation can be run with no exceptions, example code
var newFolder = new Folder
{
Name = "Test folder",
Folder = new Folder()
}
await graphServiceClient.Sites[siteId].Drive.Items.Request().AddAsync(newFolder)
6. Use the UX app to try to create lists, example code
var newList = new List
{
DisplayName = "new document library",
ListInfo = new Info
{
Template = "documentLibrary"
}
};
await graphServiceClient.Sites[siteId].Lists.Request().AddAsync(newList);
Expected behaviour
A document library called "new document library" for the selected site gets created.
Screenshots
Actual behaviour: Access Denied error exception when executing that operation
This scenario has been reported in the msgraph-sdk-dotnet github repository and they have confirmed this idea has to be done within Graph API so the wrapper can then support it.
https://github.com/microsoftgraph/msgraph-sdk-dotnet/issues/1047#issuecomment-873867323
More information about the Site.Selected permission: