Reputation: 871
Office365 SharePoint Scopes
I can't seem to find Office365 REST API scopes relating to Office365 SharePoint. For outlook.office.com you can utilize scopes like 'https://outlook.office.com/mail.read' .
Does anyone know of, or could point me to, rest api scopes for Office365 SharePoint?
Upvotes: 3
Views: 11606
Answers (3)
Reputation: 1133
To add to Ben Menesi's answer, I found the following permissions for SharePoint in http://portal.azure.com (App registration / API permissions ie for SharePoint Online REST API):
- Application permissions:
╔═════════════════════════╦══════════════════════════════════════════════╦════════╗
║ Permission ║ Description ║ Admin ║
║ ║ ║consent ║
╠═════════════════════════╬══════════════════════════════════════════════╬════════╣
║ **Sites** ║ ║ ║
║ Sites.FullControl.All ║ Have full control of all site collections ║ Yes ║
║ Sites.Manage.All ║ Read and write items and lists ║ ║
║ ║ in all site collections ║ Yes ║
║ Sites.Read.All ║ Read items in all site collections ║ Yes ║
║ Sites.ReadWrite.All ║ Read and write items in all site collections ║ Yes ║
║ **TermStore** ║ ║ ║
║ TermStore.Read.All ║ Read managed metadata ║ Yes ║
║ TermStore.ReadWrite.All ║ Read and write managed metadata ║ Yes ║
║ **User** ║ ║ ║
║ User.Read.All ║ Read user profiles ║ Yes ║
║ User.ReadWrite.All ║ Read and write user profiles ║ Yes ║
╚═════════════════════════╩══════════════════════════════════════════════╩════════╝
- Delegated permissions:
╔═════════════════════════╦══════════════════════════════════════════════╦════════╗
║ Permission ║ Description ║ Admin ║
║ ║ ║consent ║
╠═════════════════════════╬══════════════════════════════════════════════╬════════╣
║ **AllSites** ║ ║ ║
║ AllSites.FullControl ║ Have full control of all site collections ║ Yes ║
║ AllSites.Manage ║ Read and write items and lists ║ ║
║ ║ in all site collections ║ - ║
║ AllSites.Read ║ Read items in all site collections ║ - ║
║ AllSites.Write ║ Read and write items in all site collections ║ - ║
║ **MyFiles** ║ ║ ║
║ MyFiles.Read ║ Read user files ║ - ║
║ MyFiles.Write ║ Read and write user files ║ - ║
║ **Sites** ║ ║ ║
║ Sites.Search.All ║ Run search queries as a user ║ Yes ║
║ **TermStore** ║ ║ ║
║ TermStore.Read.All ║ Read managed metadata ║ Yes ║
║ TermStore.ReadWrite.All ║ Read and write managed metadata ║ Yes ║
║ **User** ║ ║ ║
║ User.Read.All ║ Read user profiles ║ Yes ║
║ User.ReadWrite.All ║ Read and write user profiles ║ Yes ║
╚═════════════════════════╩══════════════════════════════════════════════╩════════╝
There is a note about admin consent stating:
The note redirects here
Upvotes: 2
Reputation: 163
This all depends on which REST API you'd like to use. The two choices here are the Office365 SharePoint Online REST API and Microsoft's Graph API. While generally speaking those product specific APIs are a bit more powerful for now, the MS Graph is being improved extremely fast and so according to Microsoft, that would be the way to go.
Another difference too, is the Azure AD endpoint where you register your application. While the MS Graph API supports both v1.0 (Azure AD Admin center > enterprise apps) and v2.0 (apps.dev.microsoft.com) endpoint registrations, using the SharePoint online REST API is only supported by v1.0 AFAIK. In the long run, v1.0 will be deprecated so - another reason to go with the Microsoft Graph API.
Anywho, there are a different set of permission scopes depending on which API you use. Also it's important to differentiate between application permissions (as in: no user present) and delegated permissions (on behalf of a signed-in user). For the SharePoint Online REST API, you can use the following permissions: Application permissions: Read user profiles, Read and Write user profiles, Read and write managed metadata, read managed metadata, read and write items and lists in all site collections, have full control of all site collections, read items in all site collections, read and write items in all site collections. Delegated permissions: Read user profiles, read and write user profiles, read and write user files, read user files.
For the MS Graph API you can use the following permission scopes: Application Permissions: Sites.Read.All, Sites.ReadWrite.All, Sites.Manage.All, Sites.FullControl.All Delegated permissions: Sites.Read.All, Sites.ReadWrite.All
As you can see there are a few overlapping permission scopes between the MS Graph and SharePoint online APIs, but it's sort of difficult because of the difference in the way they are named. Another important concept is that while application permissions are generally more powerful, they are all subject to admin consent, while you can get away with a simple user consent for delegated permissions. On the other hand, even if you end up granting Sites.ReadWrite.All, this won't allow the user to do stuff they wouldn't be authorized to do otherwise according to their SharePoint permissions.
More info on Graph API Permission scopes: https://msdn.microsoft.com/library/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes
Hope this helps
Ben
Upvotes: 2
Reputation: 371
See here: https://msdn.microsoft.com/office/office365/HowTo/application-manifest
You should also see the scopes in your Azure Management Portal if you configure your app.
Upvotes: 1
Related Questions
- Office365 Exchange REST API errors, endpoints and permissions issues
- O365 Outlook REST API, masquerading
- Office365 Management API
- Office365 Unified APi Webhooks
- Required scopes for https://outlook.office.com/api/v2.0/me
- Office api V2 authentication multiple resources in scopes
- Office 365 REST API with Basic Authorization
- Office 365 REST API calls from a .net console application
- Office 365 rest api Authorization
- Use multiple scopes with the Office 365 API