Running SharePoint/OneDrive file storage with restricted permissions¶
The recommended setup for Live docs is to grant the Lime CRM Entra Enterprise Application Files.ReadWrite.All
and Sites.ReadWrite.All
permissions. If there is a need to limit the Enterprise Application to access only a specific SharePoint site, this is possible but requires more complex configuration and additional administrator knowledge.
Configuration Steps¶
Follow the normal setup instructions but configure the API Permissions for the app registration as shown below instead:
Configuring which "selected" SharePoint site the permissions apply to is not possible through any user interface. Instead, you must use the Microsoft Graph API with a user account that has Sites.FullControl
permissions.
For example, using Microsoft Graph Explorer:
GET https://graph.microsoft.com/v1.0/sites/<YOU_SITE_ID>/permissions/
POST https://graph.microsoft.com/v1.0/sites/<YOU_SITE_ID>/permissions/
{
"roles": [
"write"
],
"grantedToIdentities": [
{
"application": {
"id": "<YOUR_CLIENT_ID>",
"displayName": "Dev Sharepoint Staging OnedriveFS"
}
}
]
}
References¶
- Graph Explorer - Interactive tool for testing Microsoft Graph API calls
- Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph - Original announcement of Sites.Selected permissions
- Use Sites.Selected Permission with FullControl rather than Write or Read - Community guide for upgrading Sites.Selected permissions to FullControl
- Updates on controlling app specific access on specific SharePoint sites (Sites.Selected) - Microsoft's update on Sites.Selected availability and SharePoint CSOM support