SharePoint / sp-dev-docs

SharePoint & Viva Connections Developer Documentation
https://docs.microsoft.com/en-us/sharepoint/dev/
Creative Commons Attribution 4.0 International
1.25k stars 1.01k forks source link

Granting permissions to subset of site collections using Sites.Selected permissions #9356

Open remar27 opened 1 year ago

remar27 commented 1 year ago

What type of issue is this?

Question

What SharePoint development model, framework, SDK or API is this about?

SharePoint CSOM

Target SharePoint environment

SharePoint Online

What browser(s) / client(s) have you tested

Additional environment details

Issue description

Hello,

As recently announced, SharePoint Add-Ins will soon be retired, and starting from November 2024, new tenants will no longer be able to use SharePoint Add-Ins, regardless of their origin (public marketplace or private tenant catalog).

Our company has developed numerous provider-hosted SharePoint Add-Ins deployed across various organizations. We are currently exploring options to migrate these solutions to the Web App type registered in Azure Entra. The provider-hosted SharePoint Add-Ins currently utilize CSOM, making the migration path easiest through SharePoint API permissions. The required permissions are limited to accessing SharePoint data (such as AllSites.FullControl, AllSites.Manage, AllSites.Read...) and application permissions (Sites.FullControl.All, Sites.ManageAll, Sites.ReadAll, Sites.Selected).

However, permissions like AllSites.Read or Sites.ReadAll grant access to sensitive data that cannot be provided to our apps. Therefore, permissions like Sites.Selected would ideally suit our needs. Unfortunately, while attempting to use these permissions, we have found it challenging to control which sites are permitted access and to manage these permissions via the UI or admin center. The web app permission consent screen suggests configuration possibilities within SharePoint Online, but I believe this information is incorrect.

image

Could anyone confirm if there are current possibilities or future plans to implement UI-based management of SharePoint permissions for the Web App by admins? I'm aware of alternatives like the MS Graph API or PowerShell for granting and managing permissions. However, these methods might be cumbersome and won't allow for easy adoption of the web app without detailed instructions for admins on configuring SP permissions.

Thank you, Martin

ghost commented 1 year ago

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

remar27 commented 1 year ago

After further research, I discovered that you can assign permissions to the app for a particular site using the MS Graph API, but your app must have Sites.FullControl.All permissions (https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http). This requirement seems like too much overhead. Additionally, while you can develop a second web app for permission management that utilizes MS Graph and Sites.FullControl.All permissions, this approach seems absurd.

LuwkasLima commented 1 month ago

Great description @remar27.

I've recently got to a similar issue where I need to grant "Sites.FullControl.All" to my Generative AI platform Application ID in order to pull site group permissions when executing indexing of SharePoint sites. Our Cyber Security and Sharepoint teams did not like it for obvious reasons, and we had to escalate it internally to Microsoft.

Long story short, the only solution we found was to centralize the control of the Application ID to a specific team in our organization and construct an API wrapper around it to constraint our platform's actions to the SharePoint site through Graph API.

@nick-pape have we got any progress on this topic you could share with us or a suggestion for workaround? Thank you!