Microsoft Graph is a powerful tool. It can give you access to user information, SharePoint files, and Office tenant settings. Because of this, admins need to be careful when granting permission to the the many Graph endpoints. The permission options for Graph are usually all-or-nothing. The SharePoint permission options, for example, are either Site.Read.All or Site.ReadWrite.All. When it says “All”, it means all. Granting this permission gives an app or a user access to every SharePoint site in the tenant. This is not ideal from a security perspective and requires admins to closely monitor any use of the SharePoint endpoints.
Fortunately, Microsoft has added a third permission option called Site.Selected. This allows admins to restrict Graph access to specified sites and control read/write access per site. However, you can only configure these settings through the Graph API itself. The lack of a GUI for this setting means you have to send a minimum of three API requests to get all the information needed to setup the permissions. Doing this manually can get annoying after a while so I setup a flow to do it for me.
This flow takes in the name and id of the app, the name of the SharePoint site and whether the app should have write access to the site.
It follows my standard format of initializing the variables first followed by scope blocks in a Try-Catch-Finally configuration. The four variables that this flow uses are the following:
- IsError: Used for error catching
- SiteId : The Id for the site specified in the trigger. This will be gathered as part of the flow.
- Roles: This JSON array tells Graph what kind of permissions the app should be given. I’ve set the default value to just be “Read”.
- AccessToken: This is the access token needed for the Graph API requests. Since Graph uses Bearer tokens, I’ve already set that portion of the token and the rest will be acquired by a call to the authorization endpoint.
The first thing this flow does is check if the app needs Write access and updates the Roles variable if needed.
It then gets and saves the access token to use to get the SharePoint site's Id.
Once all that information is saved, it builds the request body and sends the POST request to the SharePoint site to configure the permissions.
If any of the blocks encounter an error, the flow goes to the Catch scope, updates the IsError variable to true. At the very end of the flow, it checks to see if an error was caught. If it was, it forces the flow to Terminate with a Failed status. If not, the flow completes successfully and now your app should be able to access only the SharePoint site you specified.
The Site.Selected Graph permission opens up new opportunities for your employees to create applications that use Graph to interact with SharePoint sites without compromising the security of your entire tenant. This permission was critical to my work of encouraging employees to build their own automation solutions.
Latest comments (0)