Open remar27 opened 1 year ago
Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
After further research, I discovered that you can assign permissions to the app for a particular site using the MS Graph API, but your app must have Sites.FullControl.All permissions (https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http). This requirement seems like too much overhead. Additionally, while you can develop a second web app for permission management that utilizes MS Graph and Sites.FullControl.All permissions, this approach seems absurd.
Great description @remar27.
I've recently got to a similar issue where I need to grant "Sites.FullControl.All" to my Generative AI platform Application ID in order to pull site group permissions when executing indexing of SharePoint sites. Our Cyber Security and Sharepoint teams did not like it for obvious reasons, and we had to escalate it internally to Microsoft.
Long story short, the only solution we found was to centralize the control of the Application ID to a specific team in our organization and construct an API wrapper around it to constraint our platform's actions to the SharePoint site through Graph API.
@nick-pape have we got any progress on this topic you could share with us or a suggestion for workaround? Thank you!
What type of issue is this?
Question
What SharePoint development model, framework, SDK or API is this about?
SharePoint CSOM
Target SharePoint environment
SharePoint Online
What browser(s) / client(s) have you tested
Additional environment details
Issue description
Hello,
As recently announced, SharePoint Add-Ins will soon be retired, and starting from November 2024, new tenants will no longer be able to use SharePoint Add-Ins, regardless of their origin (public marketplace or private tenant catalog).
Our company has developed numerous provider-hosted SharePoint Add-Ins deployed across various organizations. We are currently exploring options to migrate these solutions to the Web App type registered in Azure Entra. The provider-hosted SharePoint Add-Ins currently utilize CSOM, making the migration path easiest through SharePoint API permissions. The required permissions are limited to accessing SharePoint data (such as AllSites.FullControl, AllSites.Manage, AllSites.Read...) and application permissions (Sites.FullControl.All, Sites.ManageAll, Sites.ReadAll, Sites.Selected).
However, permissions like AllSites.Read or Sites.ReadAll grant access to sensitive data that cannot be provided to our apps. Therefore, permissions like Sites.Selected would ideally suit our needs. Unfortunately, while attempting to use these permissions, we have found it challenging to control which sites are permitted access and to manage these permissions via the UI or admin center. The web app permission consent screen suggests configuration possibilities within SharePoint Online, but I believe this information is incorrect.
Could anyone confirm if there are current possibilities or future plans to implement UI-based management of SharePoint permissions for the Web App by admins? I'm aware of alternatives like the MS Graph API or PowerShell for granting and managing permissions. However, these methods might be cumbersome and won't allow for easy adoption of the web app without detailed instructions for admins on configuring SP permissions.
Thank you, Martin