AllSites.FullControl solves the problem, but in my opinion it is a bug and may cause security problems! I do not want my application to access everything in SharePoint.
So giving full control permissions is just a work around, which is not suitable from the security perspective.

@Alexander72 

 

Based on your questions, you are getting  a token through interactive login that means you are using Delegated permissions, so even if you have given AllSites.FullControl, your code will always work with permission of user which you are using interactive login.

 

And still it's also possible to provide access to specific sites using Azure AD App Registration. If security is the concern then you can provide AllSites.FullControl rights for particular site collections only.

Reference Blog: https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-co... 

 

---

Hope it will helpful to you and if so then Please mark my response as Best Response & Like to help others in this community

This is also a work around, which is not suitable in my case.
My customer has a OneDrive folder for every of his users (about 65K) and also many team sites.
Every SharePoint online site has to be searched for Office files. Every Office file ist to be analyzed for VBA macros and if there are macros without potentially malicious code, they are to be signed.
The last modified date and the editor is to be preserved.
And you need one app to have read/write access to those sites and files.
Modifying file content is possible with AllSites.Modify.
So AllSites.Modify is the way to go. Everything else would be an overkill.
MS has to fix this!

@Alexander72 

 

What I am trying to say is if you are using Delegated Permissions (as mentioned in below screen shot), even if you provide higher permission in App Registration, only operation which current user have permissions (user which you have used in interactive login) are allowed.

 

 

E.g. In your App Registration, you have given AllSites.FullControl rights and let say we have two user i.e. User A and User B where User A does have only read rights in one site collection and User B does have contribute rights in same site collection.

 

Now if you login with User A in your CSOM console with interactive user, and you are trying to update anything in the site, Code will give unauthorized access (even if in your app you have given AllSites.FullControl permission) because current user don't enough rights in site collection.

I hope that now it will be more clear.

 

---

Hope it will helpful to you and if so then Please mark my response as Best Response & Like to help others in this community

This may be true, but my customers won't accept AllSites.FullControl to this app.
I just wanted to say, that AllSites.Manage is buggy, because if I can change the content of a file, I should be able to change the meta data of an item.