Running SharePoint/OneDrive file storage with restricted permissions

The recommended setup for Live docs is to grant the Lime CRM Entra Enterprise Application Files.ReadWrite.All and Sites.ReadWrite.All permissions. If there is a need to limit the Enterprise Application to access only a specific SharePoint site, this is possible but requires more complex configuration and additional administrator knowledge.

Configuration Steps

Follow the normal setup instructions but configure the API Permissions for the app registration as shown below instead:

Configuring which "selected" SharePoint site the permissions apply to is not possible through any user interface. Instead, you must use the Microsoft Graph API with a user account that has Sites.FullControl permissions.

For example, using Microsoft Graph Explorer:

GET https://graph.microsoft.com/v1.0/sites/<YOU_SITE_ID>/permissions/

POST  https://graph.microsoft.com/v1.0/sites/<YOU_SITE_ID>/permissions/
{
    "roles": [
        "write"
    ],
    "grantedToIdentities": [
        {
            "application": {
                "id": "<YOUR_CLIENT_ID>",
                "displayName": "Dev Sharepoint Staging OnedriveFS"
            }
        }
    ]
}

References

• Graph Explorer - Interactive tool for testing Microsoft Graph API calls
• Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph - Original announcement of Sites.Selected permissions
• Use Sites.Selected Permission with FullControl rather than Write or Read - Community guide for upgrading Sites.Selected permissions to FullControl
• Updates on controlling app specific access on specific SharePoint sites (Sites.Selected) - Microsoft's update on Sites.Selected availability and SharePoint CSOM support