We have a 3rd party Cloud application (3PA) that is accessing Share Point content through the use of Delegated Access to Share Point. This means that technically 3PA can access all SharePoint sites of our corporate globally. Given that an corporate account account used with this application has access permissions on other sites as well than the one and only SharePoint site 3PA requires access to, the delegated access permissions would also give the 3PA Service these permissions. In case of a compromise of this Cloud Service (e.g. by a Supply-Chain-Attack) this would lead to a potential compromise of corporate data – also information that are beyond the trust relationship with 3PA.
We are now seeking for a resolution for this significant problem and would like to know ways to workaround this and even better resolve it.
For example is there a way that when a 3PA access content of the delegated user on Share Point that this can be limited to a specific Share Point site only? If not readily available yet, can this be developed?