Need Clarification regarding Permission Scope XML 'AllowAppOnlyPolicy="true"'

%3CLINGO-SUB%20id%3D%22lingo-sub-3418972%22%20slang%3D%22en-US%22%3ENeed%20Clarification%20regarding%20Permission%20Scope%20XML%20'AllowAppOnlyPolicy%3D%22true%22'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3418972%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Everyone%2C%3C%2FP%3E%3CP%3EI%20am%20working%20on%20copying%20sharepoint%20files%20to%20blob%20via%20ADF%20through%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-factory%2Fconnector-sharepoint-online-list%3Ftabs%3Ddata-factory%23prerequisites%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Doc.%3C%2FA%3E%3C%2FP%3E%3CP%3ENow%20this%20doc%20says%20(for%20giving%20service%20principal%20%2F%20app%20access%20to%20sharepoint%20site)%3C%2FP%3E%3CP%3EFor%20%3CSTRONG%3ESite%20Owner%20permission%3C%2FSTRONG%3E%20use%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markdown%22%3E%3CCODE%3E%3CAPPPERMISSIONREQUESTS%3E%0A%20%20%20%20%3CAPPPERMISSIONREQUEST%20scope%3D%22http%3A%2F%2Fsharepoint%2Fcontent%2Fsitecollection%2Fweb%22%20right%3D%22Read%22%3E%3C%2FAPPPERMISSIONREQUEST%3E%0A%3C%2FAPPPERMISSIONREQUESTS%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EFor%20%3CSTRONG%3ESite%20Admin%20permission%3C%2FSTRONG%3E%20use%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markdown%22%3E%3CCODE%3E%3CAPPPERMISSIONREQUESTS%20allowapponlypolicy%3D%22true%22%3E%0A%20%20%20%20%3CAPPPERMISSIONREQUEST%20scope%3D%22http%3A%2F%2Fsharepoint%2Fcontent%2Fsitecollection%2Fweb%22%20right%3D%22Read%22%3E%3C%2FAPPPERMISSIONREQUEST%3E%0A%3C%2FAPPPERMISSIONREQUESTS%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EIs%20this%20correct%20%3F%3C%2FP%3E%3CP%3EAs%3C%2FP%3E%3CP%3EThe%20only%20difference%20between%20these%20two%20is%20'AllowAppOnlyPolicy%3D%22true%22'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccording%20to%20another%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fdev%2Fsp-add-ins%2Fauthorization-and-authentication-of-sharepoint-add-ins%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Doc.%3C%2FA%3E%3C%2FP%3E%3CP%3EThe%20reason%20we%20use%26nbsp%3B%20'AllowAppOnlyPolicy%3D%22true%22'%20is%20so%20that%20the%20app%20works%20even%20when%20the%20user%20doesn't%20have%20access%20to%20sharepoint.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20team%20was%20using%20the%20Site%20Owner%20XML%20to%20follow%20the%20least%20privilege%20principle%20but%20is%20unable%20to%20get%20data.%5BHttpFileFailedToRead%20%2C%20remote%20server%20returned%20an%20error%20%3A%20403%20forbidden%20error%5D%3C%2FP%3E%3CP%3EBut%20if%26nbsp%3B'AllowAppOnlyPolicy%3D%22true%22'%20will%20not%20give%20site%20admin%20role%20then%20we%20will%20use%20it%20%5Bas%20our%20team%20do%20not%20have%20access%20to%20sharepoint%5D.%3C%2FP%3E%3CP%3EWe%20are%20cautious%20as%20the%20SPO%20site%20has%20some%20restricted%20content.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20short%2C%20I%20want%20to%20know%20what%26nbsp%3B'AllowAppOnlyPolicy%3D%22true%22'%20does.%20Will%20it%20give%20site%20admin%20role%20or%20something%20else%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20You%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3418972%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hello Everyone,

I am working on copying sharepoint files to blob via ADF through this Microsoft Doc.

Now this doc says (for giving service principal / app access to sharepoint site)

For Site Owner permission use

 

<AppPermissionRequests>
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>
</AppPermissionRequests>

 

For Site Admin permission use

 

<AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>
</AppPermissionRequests>

 

Is this correct ?

As

The only difference between these two is 'AllowAppOnlyPolicy="true"'

 

According to another Microsoft Doc.

The reason we use  'AllowAppOnlyPolicy="true"' is so that the app works even when the user doesn't have access to sharepoint.

 

Our team was using the Site Owner XML to follow the least privilege principle but is unable to get data.[HttpFileFailedToRead , remote server returned an error : 403 forbidden error]

But if 'AllowAppOnlyPolicy="true"' will not give site admin role then we will use it [as our team do not have access to sharepoint].

We are cautious as the SPO site has some restricted content.

 

In short, I want to know what 'AllowAppOnlyPolicy="true"' does. Will it give site admin role or something else ?

 

berserkersap_0-1653383830642.pngberserkersap_1-1653383863407.png

 

 

 

Thank You

0 Replies