CODEWITHSUNDEEP
sharepointmicrosoft-graph-apisharepoint-online
Ramesh Chinnappan
Ramesh Chinnappan

Reputation: 11

Grant Identities permission only to a Particular sharepoint drive/document library and not at the site level

I am handling SharePoint granular permission using the sites.Selected the scope option and granted the application access/role via graph API permission. It is working fine, If the app needs to work with all the available Lists/Drives with the site.

For ex. https://graph.microsoft.com/v1.0/sites/{site-Id}/Permissions and passing the below payload.

{
    "roles": [
        "write"
    ],
    "grantedToIdentitiesV2": [
        {
            "application": {
                "id": << App Id >>
                "displayName": "TestDaemonGraphAPI"
            }
        }
    ]
}

However, I have a couple of drive/document libraries where the access needs to be restricted for the App. Since I am setting permission at the site level, it allows access to all the drives.

How can we allow access at only Drive/library level using graph api?

Update: I've tried granting permission at the Drive level, it was failing. Error Detail

Upvotes: 1

Views: 1011

Answers (2)

geoced
geoced

Reputation: 732

A bit late, but this is now possible since June/July 2024 on the beta API. See here:

https://www.michev.info/blog/post/6074/granular-permissions-for-working-with-files-list-items-and-lists-added-to-the-graph-api

https://learn.microsoft.com/en-us/graph/permissions-selected-overview?tabs=http

Upvotes: 2

kavya Saraboju
kavya Saraboju

Reputation: 10859

As you can restrict which Site collections or drives can be accessed, first give Sites.Seletced permissions which restricts for only sites as you have already set.

enter image description here

Get all the ID of drive and select the Drive Id of the drives or document library that you want to restrict access to:

GET https://graph.microsoft.com/v1.0/sites/{site-id}/drives

enter image description here

Then create a role specific to drive , and select only app that can have access to

POST https://graph.microsoft.com/v1.0/drives/{drive-id}/permissions

{
    "roles": ["write"],
    "grantedToIdentitiesV2": [
        {
            "application": {
                "id": "{appid}"
            }
        }
    ]
}

And then delete the site permissions

DELETE https://graph.microsoft.com/v1.0/sites/{site-id}/permissions/{permission-id}

Check if this will restrict access to only that particular drive. I couldn't check this as I can't access as office365 license is needed.

Reference:

Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph - Microsoft 365 Developer Blog

or

You can check this way of breaking permissions with unique permissions by inviting only few users Customize permissions for a SharePoint list or library - Microsoft Support

Upvotes: 1

Related Questions