SharePoint solutions may read all user's SharePoint data and user's auth token (2 lines of code for this one) and send it to external APIs without administrator's or user's consent.
It's impossible to disable it or control it in any way.
We are typically focusing on Microsoft Graph, but I feel like nobody realizes (or talks about) the risks associated with these solutions being practically full trust code. And as much as I love the PnP Samples, I would like more users, administrators, governance teams implement more robust security audits.
It's time we talk about it openly =)
Category
Contents of the Pull Request
SharePoint solutions may read all user's SharePoint data and user's auth token (2 lines of code for this one) and send it to external APIs without administrator's or user's consent. It's impossible to disable it or control it in any way.
We are typically focusing on Microsoft Graph, but I feel like nobody realizes (or talks about) the risks associated with these solutions being practically full trust code. And as much as I love the PnP Samples, I would like more users, administrators, governance teams implement more robust security audits. It's time we talk about it openly =)