Share via

How does Files.SelectedOperations.Selected Application permission scope work for graph API

Ameya Nayak 20 Reputation points
2025-01-24T14:02:14.9566667+00:00

We created an app on Azure portal with admin consent for the following 3 permission scopes (Application)

  1. Files.SelectedOperations.Selected
  2. User.Read.All
  3. Group.Read.All

Using the Update Permissions API for driveItem, I am able to add the app with write access to a OneDrive file and access the file as well as list the permissions. If i don't do this step, I am unable to access the file via API which is how it should work. But when i try to use credentials of the app and access a file in a Sharepoint Site which is public or private , i am able to get permissions for the file and download the file as well even though i have not updated the file permissions. Is this how the permission scope Files.SelectedOperations.Selected is supposed to work or is this a bug? I have verified that the jwt token has only the 3 scopes mentioned above

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,894 questions
OneDrive
OneDrive
A Microsoft file hosting and synchronization service.
1,283 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
3,229 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 112.5K Reputation points MVP
    2025-01-24T16:45:06.9466667+00:00

    No, that's not the expected behavior. Files to which your application has not explicitly been granted access should result in an error, when you're only using the Files.SelectedOperations.Selected scope. In your scenario I would suggest checking the permissions on any "parent" entry, including folders, lists and sites. Make sure that none of them has explicit permission entry for the app.

    As a quick test, you can register a new application and try to access any of the same files via it.

  2. Emily Du-MSFT 49,231 Reputation points Microsoft Vendor
    2025-01-28T09:39:09.7233333+00:00

    Based on your post, it seems that the behavior you're experiencing is not expected. The Files.SelectedOperations.Selected scope should require explicit permission assignments to access files. If you are able to access files in a SharePoint site without updating the file permissions, it could indicate a potential issue.

    Please check whether the app is running under an admin context or under a user’s delegated context.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.