Scenario
You are a software developer. Your company uses Microsoft Office 365 (SharePoint, Teams etc.). The need is to work with a specific site collection programmatically (from code – Python, C#, Java, PowerShell, JavaScript etc.) – e.g. upload/download documents, update list items, search etc. The code must run without user interaction (unattended, aka daemon app).
The solution is based on a new Graph API feature – Sites.Selected and a classic SP-Only app.
Solution
- Register an Azure App
- MS Graph API permissions: add -> Microsoft Graph -> Applications Permissions -> “sites.selected”
- Ask SharePoint/Tenant admin run PowerShell code (e.g. this one) to assign proper permissions to your azure app for a specific site collection (consider site owner consent)
- SharePoint API permissions:
Site Collection Owner/Admin – use
https://YourTenant.sharepoint.com/teams/YourSite/_layouts/15/appinv.aspx
to add SharePoint API permissions to your app.
Consider minimal permissions (e.g. as per Sumit)
Problem Solved
- you get access to one and only one site collection (“least privilege” principal)
- you get both – SharePoint API and Microsoft Graph API permissions to SharePoint
- you can use app secret or certificate to authenticate – depending on what are your security requirements
References:
- Register an application with the Microsoft identity platform
- Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph
- Working with SharePoint sites in Microsoft Graph
- SharePoint Add-In — Permission XML cheat sheet
- Accessing SharePoint using an application context, also known as app-only
