Copilot for Microsoft 365 Tech Accelerator
Feb 28 2024 07:00 AM - Feb 29 2024 10:30 AM (PST)
Microsoft Tech Community

Restrict users to access list using REST API

Copper Contributor

Hello,

 

I have made a list in SharePoint, and I want to restrict the Users to access the list via REST API.

So how can I turn off the ability for the users to access the list via REST API, so that they cannot make any changes to the list using this feature.

 

Can someone help me, regarding the same?

Thank you.

12 Replies
Unfortunately, it it not possible within SharePoint Online (not sure for on-prem though).

If a user has the right to access / read / modify a list with SharePoint permissions. It will be possible too with REST / CSOM / Graph (if he has the right to use these APIs).
Might I ask the scenario / use case you have here? To be able to use the API REST you need to be quite skilled and also to have required permissions not only to interact with the SharePoint Content but also to deploy artifacts that make use of SPO APIs and even PowerShell. Of course, there are "some tools" that potentially could enable anyone to use SPO APIs such as the Graph Explorer, Postman, etc
Hello Thijoubert,

Thanks for the quick reply.

Users have access to SharePoint list but I want to restrict them to call APIs. Is there any way to achieve this?
If the user has access to the SharePoint list, he is theorically able to access it through the APIs (if he is skilled enough + has the rights to use / consent APIs)...
To my knowledge, you cannot block it.

Hello @Juan Carlos González Martín ,

Thank you for your reply. I am trying to make an app which performs CRUD operations in Power apps, where in the data source passed is SharePoint List. And I want the users to access those SharePoint Columns only via the Power Apps, and not directly by the SharePoint Site. So that, even if they get the source to the SharePoint site, they might be restricted to the View Mode. 

 

Please reply, if you can help me in any way.

Thank you.

Hey @thijoubertold,

 

I know about the Graph API and stuffs, but can you please tell me which rights you are talking about? Thank you for your help.

That's a different scenario...unfortunately, if the users discover the site and they have collaboration rights there, they are going to be able to modify data directly in the site. There are tow possible workarounds for you here:
(1) Hide the Lists and Document Librararies used in the PowerApp: https://www.c-sharpcorner.com/article/how-to-hide-sharepoint-list-using-pnp-powershell/
(2) Force a redirect to the SPO home page to any user trying to access the site: Develop a SPFx extension that prevent any user except especific ones to access the site.
Thank you Juan, I will try these options out. And I will let you know if it works or not.

Thank you, for the reply. @Juan Carlos González Martín 

 

I referred the link which you sent me. And after referring this link, I had some questions on which I need some help from you.

 

I had some questions @Juan Carlos González Martín ,

1. Does "after hiding" the SharePoint List, will the user be still able to access the List from the Power Apps, and make necessary changes via Power Apps only, if he has the required permissions to do so.

2. Plus, after hiding SharePoint List, would any user be able to make API calls to the List, if by any way he gets the URL of the List?

3. And does he require the URL to make API calls to the SharePoint list, at all?

 

I hope for a reply from you.

Thank you so much, @Juan Carlos González Martín

Thank you, for your help @thijoubertold.

 

As @Juan Carlos González Martín sent me the link, can you please help me out on the same? That whether or not the user would be able to access the SharePoint list via the API, if I am able to hide the SharePoint List using the PNP PowerShell.

And would the user still be able to access the SharePoint List using the Power Apps, if he has the permission and rights, keeping in mind, the list is still hidden in SharePoint.

And whilst, the list is hidden, can any technically smart person, be able to access to that List by making API calls to that list?

And do we need the URL to the SharePoint List, at all, in order to make the API CALL to the SP LIST?

 

Thank you so much for replying, @thijoubertold .  

We hope a reply from you, @thijoubertold.

Hi,
My two cents here:
1. Yes, you are just hiding the list so users "apparently" only have the option to work with the data through the Power App
2. Yes, hiding does not prevent this,
3. Yes.

Thank you so much, @Juan Carlos González Martín , for your quick reply. 

We need helpful people like you in this community. :)