Reputation: 1
Why is application permission granted so much privilege on Azure?
I am trying to access files on my SharePoint site from AWS Lambda. From various articles from learn.microsoft, I would require to register an application and add API permission 'Files.Read.All' to my application.
However, the mentioned permission grants my application to read all files in all sites, but I only want my application to be able to read the files in my site (principal of least privilege).
So why is Azure giving application permission so much privilege? Or is there other permissions that I should be giving to my application?
EDIT: As asked on why this is related to Azure, I believe my AWS Lambda would need an access token before I can call any SharePoint API, and in order for the access token to have related permissions, I would need to register app > grant permission.
Upvotes: 0
Views: 108
Answers (1)
Reputation: 16109
Note that: You can restrict the Azure AD application to access specific SharePoint site collections but cannot restrict access to specific files or folders.
To restrict the Azure AD application to particular SharePoint site, grant the below API permission:
And make use of below PowerShell script:
$siteUrl = “https://xxx.sharepoint.com/sites/testruk”
$clientId = “ClientID”
$certThumbprint = “Thumbprint”
$tenant = “xxx.onmicrosoft.com”
Connect-PnPOnline -Url $siteUrl -Interactive
$writeperm = Grant-PnPAzureADAppSitePermission -Permissions “Write” -Site $siteUrl -AppId $clientId -DisplayName “PowerShell-SharepointOnline”
$PermissionId = Get-PnPAzureADAppSitePermission -AppIdentity $clientId
Set-PnPAzureADAppSitePermission -Site $siteurl -PermissionId $(($PermissionId).Id) -Permissions “FullControl”
I am able to access the SharePoint site using the application:
Connect-PnPOnline -Url $siteUrl -ClientId $clientId -Thumbprint $certThumbprint -Tenant $tenant
When I tried to access another SharePoint site, I got 403 error:
- Microsoft Graph permissions are tenant wide and cannot be restricted.
- If the
Files.Read.Allapplication permission granted has been granted to the application, then application will be able to access files from any OneDrive in the organization and it cannot be restricted. - Full level access permissions are given to the Azure AD App if it is granted application type permissions.
References:
How to allow my app without user to access ONLY specific drive or folder - Microsoft Q&A by Vasil Michev
Graph API - Restrict OneDrive/Sharepoint Access when using "Files.ReadWrite.All" and "Sites.ReadWrite.all" Permissions - Microsoft Q&A by CarlZhao-MSFT
Upvotes: 0
Related Questions
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- Azure Blob Storage "Authorization Permission Mismatch" error for get request with AD token
- Why is "Application permissions" disabled in Azure AD's "Request API permissions"?
- Azure Add App Registrations you don't have Permission
- Create Azure AD group with Group.Create Permission
- Azure AD Graph - AppRole Creation using Application Credential Flow
- Missing application permission scopes in Azure AD JWT token
- Give Azure application permissions over API such as "Office SharePoint Online" via PowerShell
- Azure Active Directory Application Permission Change Delay