We have a requirement to upload to and read files from a single folder in OneDrive for Business through a Django app. We are using Microsoft Graph API with application permission. While the Azure provides Files.ReadWrite.All permission, the application can also potentially access all files and folders, as provided in graph permissions reference:
Allows the app to read all files in all site collections without a signed in user.
Is there a way to use Graph API's Application Files.ReadWrite.All Permission while restricting the application's access to a single folder in OneDrive?
Thanks for the help.
Unfortunately, - You will not be able to achieve your requirement of restricting the Application Permission to a file level using app only permissions.
Other suggestion
You could create a service account with a minimal permission - restricting the access to only specific folder.
You can do a use delegate app permission and access files for which
this account has access.
If you are looking for a non-interactive way to get a token You could ROPC method of authentication The credential for the service accounts is passed along - there is no interaction required to acquire token.
Reference :
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc