Restrict app access of graph apis to specific site or folder of share point

Geetika Garg 10

In order to access share point files via apis on my backend server, I use graph apis. To use graph apis, I registered an app on app registrations admin centre.
If I provide access if Sites.Selected, I am unable to access site via api. If I provide access Sites.Read.All, then this app token is able to access all sites. My use case is to restrict access to particular site. Also I want to restrict access to particular folder in a site. How do I do that ?

1 answer

Hitesh Pachipulusu - MSFT 3,235 Reputation points Microsoft Vendor

2024-08-06T11:00:13.2533333+00:00
Hello @GEETIKA GARG ,

Thanks for contacting Microsoft Support!

To restrict access to a specific SharePoint site and even a particular folder within that site using Microsoft Graph APIs, you can follow these steps:

Use Sites.Selected Permission:

Ensure your app is granted the Sites.Selected permission. This permission allows you to specify which sites the app can access.

Grant Access to Specific Site:

After registering your app and granting Sites.Selected permission, you need to explicitly grant access to the specific site. This can be done using the Microsoft Graph API.

Here’s an example of how to grant read access to a specific site:
POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions Content-Type: application/json { "roles": ["read"], "grantedToIdentities": [ { "application": { "id": "your-app-id", "displayName": "Your App Name" } } ] }

By following these steps, you can ensure that your app has access only to the specific site and folder you want.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.
Please sign in to rate this answer.
Geetika Garg 10 Reputation points

2024-08-07T04:40:26.2366667+00:00

While hitting permissions api using token obtained from app having only Sites.Selected access, I get Unauthorised to perform action.
How to obtain access token to hit permissions api

Hitesh Pachipulusu - MSFT 3,235 Reputation points Microsoft Vendor

2024-08-09T07:22:46.3733333+00:00

Hello @Geetika Garg ,

which platform you are utilizing for generating access token?

Geetika Garg 10 Reputation points

2024-08-09T08:12:46.5033333+00:00

Hi, I am generating token via oauth2/v2.0/token api. I am using client id, secret of an app which has Sites full access including Manage all.

When I use token generated from this client to provide permission to another app with restricted access, I get Access denied

Hitesh Pachipulusu - MSFT 3,235 Reputation points Microsoft Vendor

2024-08-09T14:26:37.09+00:00

Hello @Geetika Garg ,

It sounds like you’re encountering an issue with the scope of the token or the permissions granted to the app. Here are a few steps to troubleshoot and resolve this issue:

Verify Token Scopes: Ensure that the token you are generating includes the necessary scopes. You can decode the token using a tool like jwt.io to check the scopes included.

Granting Permissions: When granting permissions to another app, make sure that the app has the necessary permissions configured in Azure AD. You might need to grant admin consent for these permissions.

Hitesh Pachipulusu - MSFT 3,235 Reputation points Microsoft Vendor

2024-08-20T06:03:06.01+00:00

Hello Geetika Garg,

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions. Thank you very much!

Geetika Garg 0 Reputation points

2024-08-22T11:27:53.57+00:00

Hi, I am successfully able to grant access to specific site. However, I am unable to grant 'owner' access. Thus any link to item that I am creating via this app is having scope existingAccess and not anonymous access. How do I fix this ?

Luciano Carvajal 0 Reputation points

2024-11-04T19:50:45.42+00:00

Hello @Hitesh Pachipulusu - MSFT

I'm having the same requirement that I'm asking for assistance in this post : https://learn.microsoft.com/en-us/answers/questions/2115242/how-to-grant-graph-api-access-only-to-a-specific-s

Geetika Garg 0 Reputation points

2024-11-19T11:41:20.89+00:00

Hi, I was able to set permissions on site level but folder level is still not working.
Getting error invalid request.
I am trying same POST call
https://graph.microsoft.com/v1.0/sites/{site-id}/drives/{drive-id}/items/{item-id}/permissions
Get is working for same route. POST call for site level is working too. But POST for item level/folder level is givign invalid request

Geetika Garg 0 Reputation points

2024-11-19T11:43:50.2533333+00:00

I want to give folder level permission to an app and so can't use invite flow
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Restrict app access of graph apis to specific site or folder of share point

1 answer

Your answer