Search code examples
sharepointmicrosoft-graph-api

msgraph permissions to read files from a specific SharePoint site

I try the following combination (application permissions) to have access to all document libraries in a specific sharepoint site with msgraph client.

enter image description here

But i can get the document libraries from all sites.

var siteDocumentLibraries = await client.Sites[siteID].Drives.Request().GetAsync();

Any idea ; I want the Least privileged permissions.

Solution

  • With Files.Read.All you should be able to access any files across all drives. I would recommend to remove this permission. Keep only Sites.Selected application permission.

    What you need is to add site permission and grant the role for your app.

    I'm using Graph PowerShell SDK to add site permission.

    Connect-MgGraph -Scopes Application.Read.All, Sites.FullControl.All
Import-Module Microsoft.Graph.Sites

$servicePrincipalName = "your_service_principal_name"
$spoTenant = "tenant.sharepoint.com"
$spoSite  = "site_name"
$spoSiteId = "${spoTenant}:/sites/${spoSite}:"

$servicePrincipal = (Get-MgServicePrincipal -Filter "DisplayName eq '$servicePrincipalName'")

$application = @{
    id = $servicePrincipal.AppId
    displayName = $servicePrincipal.DisplayName
}
# set read or write
$appRole = "read"
New-MgSitePermission -SiteId $spoSiteId -Roles $appRole -GrantedToIdentities @{ Application = $application }