Skip to content

Running SharePoint/OneDrive file storage with restricted permissions

The recommended setup for Live docs is to grant the Lime CRM Entra Enterprise Application Files.ReadWrite.All and Sites.ReadWrite.All permissions. If there is a need to limit the Enterprise Application to access only a specific SharePoint site, this is possible but requires more complex configuration and additional administrator knowledge.

Configuration Steps

Follow the normal setup instructions but configure the API Permissions for the app registration as shown below instead:

image

Configuring which "selected" SharePoint site the permissions apply to is not possible through any user interface. Instead, you must use the Microsoft Graph API with a user account that has Sites.FullControl permissions.

For example, using Microsoft Graph Explorer:

GET https://graph.microsoft.com/v1.0/sites/<YOU_SITE_ID>/permissions/

POST  https://graph.microsoft.com/v1.0/sites/<YOU_SITE_ID>/permissions/
{
    "roles": [
        "write"
    ],
    "grantedToIdentities": [
        {
            "application": {
                "id": "<YOUR_CLIENT_ID>",
                "displayName": "Dev Sharepoint Staging OnedriveFS"
            }
        }
    ]
}

image

References