Programmatic access to a SharePoint Online site or OneDrive For Business


You may have a valid business need to access a single SharePoint Online site via code. That sort of access can only be accomplished via use of OAuth. Microsoft provides several solutions for this via Microsoft Graph. However, depending on the approach, those solutions may require what are generally broad & risky permissions, i.e. getting admin consent for OAuth permission scopes, which depending on the permission may mean your identity has access to *all* SharePoint Online or OneDrive for Business resources. This generally is not acceptable-it is too risky to allow any account access to all UW SharePoint Online or OneDrive for Business data. In other words, any solutions that require Sites.FullControl.All or Files.ReadWrite.All are a non-starter. Microsoft has recognized this problem and provided several solutions to limit the effective scope.

Solution 1: SharePoint App-only permissions

Follow the steps described at https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs. This includes creating an Entra ID application & granting the permissions to that application. This solution can be implemented by a site collection admin without any involvement from UW-IT required.

Solution 2: You think your OAuth application needs Sites.* permissions, instead you get Sites.Selected plus tightly scoped permissions

This description aligns with the "Selected" solutions described at https://learn.microsoft.com/en-us/graph/permissions-selected-overview?tabs=http.

  1. Get an Entra ID application identity created. Entra ID application creation & configuration is mostly a self-service activity. We've created documentation about the many related activities at: https://it.uw.edu/wares/msinf/aad/apps/integration/.
  2. Configure the code using that Entra ID app identity using the OAuth client credential grant flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
  3. That Entra ID app will need to be configured to use the MS Graph API with Sites.Selected permission scope. The permission scope will need to be configured to be OAuth application permissions (not delegated permissions): https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#permission-types
  4. Open a risky Entra ID application admin consent request
    1. In that request ask for admin consent for the Sites.Selected OAuth permission scopes. You can reference https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/ as justification because "Sites.Selected. Choosing this permission for your application instead of one of the other permissions will, by default, result in your application not having access to any SharePoint site collections."
  5. The Site Collection Administrator(s) will need to grant the application permissions. This can be accomplished in two different ways via a Productivity Platform Recharge Request: https://it.uw.edu/tools-services-support/software-computers/productivity-platforms/pplat-recharge-services/
      1. In that request ask them to run:
        1. Grant-PnPAzureADAppSitePermission -AppId 'AzureAppIdwithSitesdotselectedpermission' -DisplayName 'App Name here' -Site 'https://tenantname.sharepoint.com/sites/sitename' -Permissions Write
      2. Documentation for this cmdlet is here: https://github.com/pnp/powershell/blob/dev/documentation/Grant-PnPEntraIDAppSitePermission.md and as noted, it requires permissions that the Site Collection Administrator does not have, but that the PPLAT team can grant upon request from the Site Collection Admin. Write permissions are noted above, but Read permissions are possible instead.
      3. Alternatively, the PPlat team might make a MS Graph call of "POST https://graph.microsoft.com/v1.0/sites/{siteId}/permissions" where {siteId} is your site's identifier, as described at https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/.

Solution 3: You think your OAuth application needs Files.* permissions, instead you get Files.SelectedOperations.Selected plus tightly scoped permissions

  1. Get an Entra ID application identity created. Entra ID application creation & configuration is mostly a self-service activity.
  2. Configure the code using that Entra ID app identity using the OAuth client credential grant flow.
  3. That Entra ID app will need to be configured to use the MS Graph API with Sites.Selected permission scope. The permission scope will need to be configured to be OAuth application permissions (not delegated permissions).
  4. Open a risky Entra ID application admin consent request
    1. In that request ask for admin consent for the Files.SelectedOperations.Selected OAuth permission scopes. You can reference https://learn.microsoft.com/en-us/graph/permissions-selected-overview?tabs=http as justification because "When an administrator consents to Selected scopes for an application, they're delegating management of resource permissions to the owners of that resource within the workload. For other scopes, such as Files.Read.All, as soon as the scope is consented, the application can access the resources it represents. Selected scopes require an explicit assignment action; an application consented for Lists.SelectedOperations.Selected would initially have no access."
  5. The UW-IT Site Collection Administrator(s) will need to grant the application permissions to the specific sites and/or OneDrives needed. This can be accomplished via a Productivity Platform Recharge Request: https://it.uw.edu/tools-services-support/software-computers/productivity-platforms/pplat-recharge-services/

Additional resources

Watch a YouTube video on using PNP to connect to SharePoint Online

Overview of Selected Permissions in OneDrive and SharePoint - Microsoft Graph | Microsoft Learn