What access does "Read items in all site collections" really give?

%3CLINGO-SUB%20id%3D%22lingo-sub-2356378%22%20slang%3D%22en-US%22%3EWhat%20access%20does%20%22Read%20items%20in%20all%20site%20collections%22%20really%20give%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2356378%22%20slang%3D%22en-US%22%3E%3CP%3EMost%20app%20permissions%20specify%20that%20they%20only%20grant%20access%20to%20what%20the%20signed%20in%20user%20already%20has.%20I%20don't%20want%20any%20app%20to%20be%20able%20to%20read%20all%20items%20in%20all%20site%20collections%2C%20but%20I%20doubt%20that%20this%20is%20what%20is%20really%20meant.%20The%20official%20description%20from%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fpermissions-reference%23sites-permissions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fpermissions-reference%23sites-permissions%3C%2FA%3E%20says%26nbsp%3B%22%3CSPAN%3EAllows%20the%20app%20to%20read%20documents%20and%20list%20items%20in%20all%20site%20collections%20on%20behalf%20of%20the%20signed-in%20user.%22%20Does%20%22on%20behalf%20of%20the%20signed-in%20user%22%20mean%20that%20it%20only%20grants%20access%20to%20what%20the%20user%20has%20access%20to%3F%20Or%20more%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2356378%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2357182%22%20slang%3D%22en-US%22%3ERe%3A%20What%20access%20does%20%22Read%20items%20in%20all%20site%20collections%22%20really%20give%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2357182%22%20slang%3D%22en-US%22%3EIf%20you%20are%20using%20the%20delegate%20permissions%20model%2C%20the%20*effective*%20permissions%20are%20cross-section%20of%20the%20API%20permissions%20and%20the%20user%20ones%2C%20meaning%20the%20app%20will%20only%20be%20able%20to%20access%20what%20the%20user%20can.%20If%20using%20the%20application%20permission%20model%2C%20you%20get%20unrestricted%20access%20to%20each%20and%20every%20SC.%20A%20method%20to%20restrict%20this%20is%20now%20in%20preview%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.michev.info%2FBlog%2FPost%2F3256%2Flimiting-access-to-sharepoint-online-resources-via-the-graph-api%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.michev.info%2FBlog%2FPost%2F3256%2Flimiting-access-to-sharepoint-online-resources-via-the-graph-api%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2810911%22%20slang%3D%22en-US%22%3ERe%3A%20What%20access%20does%20%22Read%20items%20in%20all%20site%20collections%22%20really%20give%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2810911%22%20slang%3D%22en-US%22%3EHow%20do%20I%20know%20which%20model%20I%20am%20using%2C%20delegate%20or%20application%20permissions%3F%3C%2FLINGO-BODY%3E
Occasional Contributor

Most app permissions specify that they only grant access to what the signed in user already has. I don't want any app to be able to read all items in all site collections, but I doubt that this is what is really meant. The official description from https://docs.microsoft.com/en-us/graph/permissions-reference#sites-permissions says "Allows the app to read documents and list items in all site collections on behalf of the signed-in user." Does "on behalf of the signed-in user" mean that it only grants access to what the user has access to? Or more?

4 Replies
If you are using the delegate permissions model, the *effective* permissions are cross-section of the API permissions and the user ones, meaning the app will only be able to access what the user can. If using the application permission model, you get unrestricted access to each and every SC. A method to restrict this is now in preview: https://www.michev.info/Blog/Post/3256/limiting-access-to-sharepoint-online-resources-via-the-graph-...
How do I know which model I am using, delegate or application permissions?
If you are providing a username and password, you're using the delegate permissions model. If you are providing a client secret or certificate, it's the applicaiton permissions model.

@Jay Carper 

I received this reply from Microsoft support:

 

"Regarding the apps for teams, it would be tied into the specific Teams group, which would then lead to its own site collection. The apps themselves are only plugins that attach to the Team once used. For instance, a form created on Team A will be attached to Team A's site directly vs a form on Team B. Due to this group functionality, there would be no way to group together all the apps into one site, as they plugin to the direct Team site being used. From my understanding, you would have to create custom Setup Policies within the Teams admin center, and specifically add members to polices that will allow them to see a set list of apps pinned to their chat bar. This would be very time consuming, as a larger organization would be recreating groups with specific app policies to allow certain users access or deny access. You could control the apps allowed on the organization via Permission Policies as well. With blocking the apps that may cause concern, it could help limit any strange access to read/write items and lists, but most of the time it is needed to add files to the document library of a Teams site. Overall, the policies that can be set would affect either a per user basis, or an entire organizational block/restriction. Natively, teams will allow the users to download any apps they want and would involve a heavy hand within permissions and setup to either restrict access or guide a certain pinned user experience that you'd want them to see."

 

I asked....

 

If I am reading your reply correctly, approving this app's permissions will not automatically allow it to read items and lists in all of my Sharepoint sites unless the app is installed in the Teams associated with those sites. Is that correct?

 

Microsoft replied...

 

"That's right! The app will only need those permissions once it is used. The permissions really fall back on to storage of files and information, and the creation of the app instance or document the app creates. Without access it will not be able to save to the site allowing others to view it. In our day an age, using our phones with apps and those accessing permissions are a bit more pervasive than the permissions used for apps within teams, so I understand the wearied approach."

 

The app has permission to read items and lists in all site collections, but it doesn't have access to all site collections until a Team owner installs the app in a Team. Then it has access to that Team's Sharepoint site only.

 

The response seemed a little convoluted, so I could still have misunderstood.