Limit access to a specific Share Point

Copper Contributor

We have a 3rd party Cloud application (3PA) that is accessing Share Point content through the use of  Delegated Access to Share Point.  This means that technically 3PA can access all SharePoint sites of our corporate globally. Given that an corporate account account used with this application has access permissions on other sites as well than the one and only SharePoint site 3PA requires access to, the delegated access permissions would also give the 3PA Service these permissions. In case of a compromise of this Cloud Service (e.g. by a Supply-Chain-Attack) this would lead to a potential compromise of corporate data – also information that are beyond the trust relationship with 3PA.

We are now seeking for a resolution for this significant problem and would like to know ways to workaround this and even better resolve it.

For example is there a way that when a 3PA access content of the delegated user on Share Point that this can be limited to a specific Share Point site only? If not readily available yet, can this be developed?

1 Reply
Applications using the delegate permissions model only have access to sites that the user in whose context you are running the app does. So the way to control access would be to limit the permissions granted on the user.
Applications using the application permissions model get unrestricted access by default. For that scenario, you can use the Sites.Selected permission as detailed here: