I have an external program that I have scheduled to run once a day (i.e. no user interaction). This program should upload a file to a SharePoint Online site, using Microsoft Graph API. I'm able to enable this in Azure Active Directory by registering an app, and giving this app the application permission File.ReadWrite.All, then sending a PUT request to
https://graph.microsoft.com/v1.0/drives/{drive-id}/items/{parent-id}:/{filename}:/content
However, by granting File.ReadWrite.All, the program will have access to all files in all site collections for my organization. I want to limit access to a specific site, or perhaps just a specific folder within that site. How can this be achieved? (without the need for a user to interactively sign in when the program is run)
Edit (2021-03-04): This is possible now: https://developer.microsoft.com/office/blogs/controlling-app-access-on-specific-sharepoint-site-collections/
It is not currently possible to restrict app-only access to a specific SharePoint site, through Microsoft Graph.
Related
We have created a Microsoft Teams tab app with bot integration that we want to distribute to various organizations either manually or via an App Store. In summary,
We created Tabs App with Microsoft Bot using node.js botbuilder package.
We provided zip archive to another organization (another tenant Id).
Organization uploaded our app using Microsoft Teams Admin panel and approved permission in Permission tabs.
Question is how can we receive the tenant id from the organization we are deploying to without asking their admins to go to Azure Active Directory and look it up. Once provided, the graph api and the multi tenant bot does work fine. We are trying to avoid asking their admin to provide us the tenant id and want to retrieve it automatically upon the app being uploaded or on startup.
Thank you.
The best place to get the tenant id is from the access token you are provided by logging in to your app. Look for the 'tid' value.
I'm assuming you are talking about stream lining the company wide admin consent for your application.
What you can do is have a web site that a customer's admin can log into (using standard Microsoft OAuth interactive flow). You can then pull the Tenant ID from the access token and then run through the Microsoft consent process. Once consent process redirected back to your web site, you can do your own customer onboarding if required.
I have a specific SharePoint site that I have been asked to integrate my web based application with in a read-only fashion using my backend server.
I currently have an app with Default Directory only (Single tenant) access
which I am modifying Application API permissions to also require Sites.Selected, however this one is requiring that I obtain Admin consent
I have had an absolute atrocious time trying to figure out how to obtain access to my specific site and not grant access to every single site in my tenant
I'm working on a dummy azure account prior to asking my ops team for the real permissions from the real ecosystem, but I dont have a sharepoint site to test on because I dont know how to set it up, the IT department team who manages it is very slow to answer so its difficult to move the ball forward without knowing exactly what I need before asking.
Under "Enterprise Applications" > {My Application Name } > Permissions (left sidebar), i see a big blue button that I read about in some docs, but i'm scared to grant the permissions because it says I give my app access to the default directory which I don't want to do, and it provides nowhere for me to specify my "selected" site
does anyone have more information on how I can grant a specific site to my app?
every article I run to talks about admin confirmation but neglects to tell me specifically how it's done
Default Directory is just a default name for your tenant, and not related to any default collection of sites. See my tenant name v6pz1 in the image
For this Sites.Selected permission, it's a 2-step process for giving your app access to the sites.
The app needs to be given permission to the site at the SharePoint level
The app needs to be granted admin consent to access the sites through the Graph API
You see this described in the MS Graph permissions reference table as well.
Allow the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online.
To actually grant your app the SharePoint permission to a site, you can use the MS Graph endpoint to create permissions
I want to develop an Microsoft Teams app which will use Graph API and publish it to Market Place, all articles I have read suggest this integration require Application Registration on Azure Portal of a specific tenant. However, how can I register the application if the application is published, i.e. not for any specific tenant?
Yes, this is definitely possible. If you look at the screenshot in this article (just below where this link will take you), in the screenshot is show "Accounts in this organizational directory only". You want to choose the OTHER option: ""Accounts in any organizational directory".
Depending on what your app does, you will need some kind of authorization though, either from the user(s) or from the administrator, in the end-user's tenant.
I have a private group with a site where we have a document library. (I have access to this group/site)
I am currently trying to access the files within this directory.
Document Library:
https://support.office.com/en-us/article/what-is-a-document-library-3b5976dd-65cf-4c9e-bf5a-713c10ca2872
I registered an application in the azure portal and I think, I set all necessary permissions.
Microsoft Graph:
Read all groups
Read directory data
Access directory as the signed in user
Read all files that user can access
Read items in all site collections
Office 365 SharePoint Online:
Read user profiles
Read user files
Read items in all site collections
Read managed metadata
Windows Azure Active Directory:
All permissions given
I am able to get a token via OAuth authentication, but:
Accessing
https://graph.microsoft.com/v1.0/
Tells me
InvalidAuthenticationToken
Accessing
https://tenantname.sharepoint.com/_api/v1.0/
Is working, but I did not find a way to access the document library from there
In the end, I want to access (List&Read) the files in an iOS application. It would be great, to use the onedrive-sdk for this, as the office365-sdk seems broken for Swift4 at the moment.
I may have left out some information, in that case just ask for them
I'm developing an application on Microsoft Graph that runs as a daemon, and needs access to many accounts. As a result, I'm using a service account, also known as client credentials (using this method).
I can request the proper scope (calendars.readwrite) however as far as I can see, I cannot restrict to which calendars I have access. In my case, I only need access to the meetingroom calendars, and I'm afraid that organisations will not allow my application if I can also read and write from/to the CEO's calendar.
Is there any way (either while creating the app, or during/after giving admin consent) to restrict my app to only a subset of calendars? Or should I approach this problem differently and (e.g.) not use a service account in the first place?