Use application "Sites.Selected" to avoid requiring broader ".Read.All" permissions

[danajuratoni]

Problem Description

There are multiple cases where company policy doesn't allow customers to grant the current ".Read.All" permissions required for SharePoint connectors to work. Allowing the connector access to all sites and resources, causes compliance issues and is seen as a potential security risk. However, the current solution is the only option available for the connector to function properly, as there is no instrumentation from Microsoft to limit access at the moment.

From our SPO documentation

Graph API permissions

Microsoft recommends using Graph API for all operations with Sharepoint Online. Graph API is well-documented and more efficient at fetching data, which helps avoid throttling. Refer to Microsoft’s throttling policies for more information.

Here’s a summary of why we use these Graph API permissions:

• Sites.Read.All is used to fetch the sites and their metadata
• Files.Read.All is used to fetch Site Drives and files in these drives
• Groups.Read.All is used to fetch groups for document-level permissions
• User.Read.All is used to fetch user information for document-level permissions

Due to the way the Graph API is designed, these permissions are "all or nothing" - it’s currently impossible to limit access to these resources.

Proposed Solution

Ideally customers should be able to specify more restrictive access, expanding to include more sites and resources as needed.

Investigate if using application "Sites.Selected" bypasses the requirement of broader ".Read.All" permissions and would allow us to limit access to specific resources.

Resources: https://devblogs.microsoft.com/microsoft365dev/sharepoint-now-supports-delegated-sites-selected-authentication/