'Teams: Can I have access to my Files (Sharepoint) using resource-specific consent permissions?
We have a published app in the Teams App Store.
We want to let the bot to have access to Teams Files. This is possible using Graph Application Permissions. But there's a small problem, the "Files.Read.All" and "Files.ReadWrite.All" seems like overkill to our clients and they are not going to let us access all SharePoint resources just to upload a file into Teams Directory.
Resource-specific consent looks like a solution for our purposes. However, after checking the documentation and samples we've found out that there are no "Files.ReadWrite.Group" and "Sites.ReadWrite.Group" resource-specific consent permissions. Despite that, we tried to add them but got an error during the app installation process.
When we're requesting the channel information from graph api using resource-specific consent permissions we get:
{
...
"filesFolderWebUrl": "https://example.sharepoint.com/sites/RSC/Shared Documents/General",
...
}
If we try to request GET {filesFolderWebUrl} with auth token we get 401 UNAUTHORIZED.
We also tried to use https://example.sharepoint.com/_api/ and it fails with:
{
"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
}
The GET https://graph.microsoft.com/beta/sites/ request returns blank response:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#sites",
"value": []
}
Is there a way to get access to Teams Files using resource-specific consent? Any help would be appreciated.
Solution 1:[1]
As an alternative to RSC you could use SharePoint Site collection Level Permission
aka "The SharePoint flavour of RSC"
using the ``Sites.Selected` Graph permission.
This will allow a Customer Admin to grant your app/bot access to specific SharePoint SiteCollections.
While this does not give the 'automagical' permissions when a Teams App is installed in a team, it will allow you to use App Permissions with a scope that is both controllable, and smaller than 'entire tenant'
See:
- PG Blog Bost & Demo: https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/
- Blogpost with samples : https://dev.to/svarukala/use-microsoft-graph-to-set-granular-permissions-to-sharepoint-online-sites-for-azure-ad-application-4l12
- Create Site Permission: https://docs.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http
Solution 2:[2]
Team (group) resource-specific consent doesn't currently support access to the team's files.
Solution 3:[3]
There are some new graph scopes (preview) you could try:
Files.Read.Selected- allows read access to files user can select.Files.ReadWrite.Selected- allows read/write access to files user can selectFiles.ReadWrite.AppFolder- allows access to files in the "app folder". This one looks promising in your case.
These are new, and in "preview" state at the moment of writing, but already available for the apps. Disclaimer: I have not tried them myself yet, just discovered recently.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 | Philippe Signoret |
| Solution 3 | Nikolay |