You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
README says not precisely that Sites.Read.All or Sites:ReadWrite.All is needed to work with Sharepoint class. It is not completely true. I managed to work with API keys with only Sites.Selected scope set but then before using the API keys I had to give permissions using Powershell PnP to particular sites/libraries and their particular permissions.
Since autumn 2024 (source: https://pnp.github.io/powershell/articles/registerapplication.html) a custom "master" appID for all sites is needed to manage things via PnP (Register-PnPEntraIDAppForInteractiveLogin -ApplicationName "PnP PowerShell app for interactive tenant management" -Tenant NAME.onmicrosoft.com -Interactive) and log in interactively as some powerful admin (not sure if anything less than Global Admin work). After it generates the AppID for the management session connection to this AppID so next Powershell PnP commands are from within this master app. (Formerly it used some multi-tenant app which is not possible anymore): Connect-PnPOnline -Url https://NAME.sharepoint.com -Interactive -ClientId your-management-app-id.
And then the key ingredient: use this type of command to set particular permissions to a library: The admin who connected to the master app before must be owner of the library or the app must have AllSites.FullControl super-power. (“In order to be able to run this cmdlet, you will need to connect to PnP PowerShell using preferably another Entra ID application registration which will have the AllSites.FullControl permission on the delegate scope on SharePoint set to it and being logged on with a Global Administrator or SharePoint Administrator priviledged account.” Source: https://pnp.github.io/powershell/articles/determinepermissions.html) Grant-PnPAzureADAppSitePermission -AppId "<Client ID of your Entra ID applicarion registration>" -DisplayName "PnP PowerShell" -Permissions Read -Site <url of the SharePoint Online site to which you will connect>
This command can be repeated for other sharepoint sites so the same app ID + app secret or certificate can be used for multiple sharepoint sites within the same tenant. Permissions can be among "Read, Write, FullAccess" so some sites may be readonly for just downloading files or excel data and some may be for writing.
Setting the app this way is more work but security is much better than giving the app ID/secret full control or any control over ALL sharepoint sites within the tenant. Usually most developers use the API not to interact with all sharepoint sites but perhaps to download or upload stuff to one particular site out of hundreds, hacking and exposing this single key must cause the least damage not allow exfiltrating all tenant data or overwriting any data.
The text was updated successfully, but these errors were encountered:
Suggestion to improve documentation:
README says not precisely that Sites.Read.All or Sites:ReadWrite.All is needed to work with Sharepoint class. It is not completely true. I managed to work with API keys with only Sites.Selected scope set but then before using the API keys I had to give permissions using Powershell PnP to particular sites/libraries and their particular permissions.
Since autumn 2024 (source: https://pnp.github.io/powershell/articles/registerapplication.html) a custom "master" appID for all sites is needed to manage things via PnP (
Register-PnPEntraIDAppForInteractiveLogin -ApplicationName "PnP PowerShell app for interactive tenant management" -Tenant NAME.onmicrosoft.com -Interactive) and log in interactively as some powerful admin (not sure if anything less than Global Admin work). After it generates the AppID for the management session connection to this AppID so next Powershell PnP commands are from within this master app. (Formerly it used some multi-tenant app which is not possible anymore):Connect-PnPOnline -Url https://NAME.sharepoint.com -Interactive -ClientId your-management-app-id.Then create the "regular" app to be used with python-o365, either also via PnP or via GUI in Entra ID admin center. Give it Graph API Sites.Selected permissions. (https://learn.microsoft.com/en-us/graph/auth-v2-service)
And then the key ingredient: use this type of command to set particular permissions to a library: The admin who connected to the master app before must be owner of the library or the app must have AllSites.FullControl super-power. (“In order to be able to run this cmdlet, you will need to connect to PnP PowerShell using preferably another Entra ID application registration which will have the AllSites.FullControl permission on the delegate scope on SharePoint set to it and being logged on with a Global Administrator or SharePoint Administrator priviledged account.” Source: https://pnp.github.io/powershell/articles/determinepermissions.html)
Grant-PnPAzureADAppSitePermission -AppId "<Client ID of your Entra ID applicarion registration>" -DisplayName "PnP PowerShell" -Permissions Read -Site <url of the SharePoint Online site to which you will connect>This command can be repeated for other sharepoint sites so the same app ID + app secret or certificate can be used for multiple sharepoint sites within the same tenant. Permissions can be among "Read, Write, FullAccess" so some sites may be readonly for just downloading files or excel data and some may be for writing.
Setting the app this way is more work but security is much better than giving the app ID/secret full control or any control over ALL sharepoint sites within the tenant. Usually most developers use the API not to interact with all sharepoint sites but perhaps to download or upload stuff to one particular site out of hundreds, hacking and exposing this single key must cause the least damage not allow exfiltrating all tenant data or overwriting any data.
The text was updated successfully, but these errors were encountered: