Restrict app access of graph apis to specific folder of share point

Question

I want to restrict access of an app for specific folder in a site. I have created an app with Site.Specific permission.
I have created another admin app with Full Access. Now when I try to provide folder level access to the site specific app, I get error of Invalid Request.
Api end point POST call : https://graph.microsoft.com/v1.0/sites/{site-id}/drives/{drive-id}/items/{folder-id}/permissions

How to fix this.
Note: It works for site level access but not working for folder level access

Answer 1

Can you clarify what is the exact request you are making? To grant permissions to specific item(s) only, you need to use the following request:

POST https://graph.microsoft.com/v1.0/sites/{siteId}/drives/{driveId}/items/{itemId}/permissions
 {
    "roles": [
        "write"
    ],
    "grantedTo": {
        "application": {
            "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        }
    }
}

Note the use of grantedTo facet instead of grantedToIdentities which you'd use for Site-level permissions

Answer 2

Hi @Geetika Garg

As far as I know, you can only restrict access for an application to specific sites, not specific folders. There are currently no fine-grained permissions for the folder level.

References: https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http.