Skip to content

Running sharepoint/onedrive file storage with less permissions

The recommended setup for Live docs is to let the CRM app in Azure have Files.ReadWrite.All and Sites.ReadWrite.All permissions. If there is a need to limit the CRM app to a specific SharePoint site that is also possible, but it is more complicated and requires more knowledge for the adminstrator configuring it.

Follow the normal setup instructions but configure the API Permissions for the app registration like this instead:

image

Configuring which "selected" Sharepoint site it applies to is not possible through any user interface, instead one must use the Microsoft Graph API with a user that has Sites.FullControl permissions.

Using for example Microsoft Graph Explorer

GET https://graph.microsoft.com/v1.0/sites/<YOU_SITE_ID>/permissions/

POST  https://graph.microsoft.com/v1.0/sites/<YOU_SITE_ID>/permissions/
{
    "roles": [
        "write"
    ],
    "grantedToIdentities": [
        {
            "application": {
                "id": "<YOUR_CLIENT_ID>",
                "displayName": "Dev Sharepoint Staging OnedriveFS"
            }
        }
    ]
}

image

https://developer.microsoft.com/en-us/graph/graph-explorer

https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/

https://www.leonarmston.com/2022/02/use-sites-selected-permission-with-fullcontrol-rather-than-write-or-read/

https://devblogs.microsoft.com/microsoft365dev/updates-on-controlling-app-specific-access-on-specific-sharepoint-sites-sites-selected/