How does Files.SelectedOperations.Selected Application permission scope work for graph API

Question

We created an app on Azure portal with admin consent for the following 3 permission scopes (Application)

1. Files.SelectedOperations.Selected
2. User.Read.All
3. Group.Read.All

Using the Update Permissions API for driveItem, I am able to add the app with write access to a OneDrive file and access the file as well as list the permissions. If i don't do this step, I am unable to access the file via API which is how it should work. But when i try to use credentials of the app and access a file in a Sharepoint Site which is public or private , i am able to get permissions for the file and download the file as well even though i have not updated the file permissions. Is this how the permission scope Files.SelectedOperations.Selected is supposed to work or is this a bug? I have verified that the jwt token has only the 3 scopes mentioned above

Answer 1

No, that's not the expected behavior. Files to which your application has not explicitly been granted access should result in an error, when you're only using the Files.SelectedOperations.Selected scope. In your scenario I would suggest checking the permissions on any "parent" entry, including folders, lists and sites. Make sure that none of them has explicit permission entry for the app.

As a quick test, you can register a new application and try to access any of the same files via it.