Disclaimer - SharePoint Online as a "CMS to organize semi-structured content and documents via the user interface" is a promising technology. If you are integrating with an enterprise application, using its API and SDKs, or customizing, wishing you all the best.
Accessing the SharePoint Online Site Collection
Not so long ago below was the limitation with SharePoint
- We cannot give permission for specific SharePoint site collections to an Azure app registration service principal.
- If we use the service principal to access the site collections, it will get permission for all site collections in the tenant. In enterprise, other site collections may belong to totally separate divisions or applications.
- If an enterprise wants to limit the applications to specific sites, they have to use any of the below methods
- Service accounts - This means the application needs to keep the service account name and password. Use the ROPC flow³ which is not recommended by Microsoft itself.
- Separate tenant per application - Provision separate tenant per application, sync users, etc...
- Service Account is viewed as a user from SharePoint Online and throttled more heavily than a service principal that is treated as an application. Have fun fighting production issues or retrying operations.
2021-02-11 - App access on a specific SharePoint Site Collection (Graph Only)
Microsoft announced a feature¹ that will allow applications via service principal permission to specific sites. As follows
- In the Azure portal, we can give Sites.Selected permission to a service principal
- Use the below API endpoint to give permission to the application ie service principal
- https://graph.microsoft.com/v1.0/sites/{siteId}/permissions
- This allows granting only Read, Write. Cannot manage sites with Full control
- In order to give this permission the granting application or user identity needs to be in higher privilege.
Somehow Microsoft forgot the fact that the Graph API is not complete. There are many scenarios Graph API is not supporting and we have to fall back to CSOM/Legacy SharePoint APIs. Maybe some application teams might have leveraged this feature that was not even in GA status. But if it's a real SharePoint integration project they might not be. Anyway this is a good start
2022-08-11 - App access on a specific SharePoint Site Collection (GA and CSOM support)
Below are the updates² to the feature announced after one and half years.
- Sites.Selected permission is applicable to CSOM API as well
- The feature became generally available.
- The site permissions API still allows granting only Read, Write. Cannot manage with Full control.
- The official documentation is yet to be updated.
It looks like the below in the Azure portal after giving permission to both Graph and SharePoint (CSOM) APIs
Now below are the benefits to an enterprise with this change.
- Permission sites to individual applications using the service principal.
- Applications, specifically daemon applications need not use a service account that has no throttling documentation and is heavily throttled.
- Applications don't need to use ROPC flow where the password is involved and discouraged by Microsoft itself.
Sites.Selected with Full Control
One blogger figured out a hack to grant full access to service principals with Sites.Selected⁴ as follows.
- Create write permission first. Full Control at the time of creation is not working.
- Change that permission to Full Control.
Updates
2022-06-09 - Conditional access in GA
Some enterprises want to increase security posture by limiting the usage by allowing from limited IPs. Service Accounts as that capability earlier, the app registrations got that capability later. It first came in preview and as of 2023-06-09, it became production-ready ⁵.
No comments:
Post a Comment