Understanding Resource Specific Consent for Microsoft Graph and SharePoint Online
Summary
TLDRThis video script discusses the implementation of resource-specific permissions in SharePoint Online and Microsoft Graph, focusing on the 'site.selected' application permission. It explains how to configure this permission for access to specific site collections without granting full control to the entire tenant. The script guides through the process of setting up certificate authentication in Azure Active Directory, granting permissions using Microsoft Graph and PowerShell, and testing access with a .NET application. It demonstrates the powerful capability of targeting specific site collections with application-only tokens, enhancing security and control.
Takeaways
- 🔒 SharePoint Online and Microsoft Graph require specific permissions for accessing sites, which can be configured using application permissions.
- 🌐 The 'site.selected' permission allows access to a specific site or set of site collections, rather than the entire tenant.
- 🔑 To use 'site.selected' permissions, you need to authenticate with a certificate against Azure Active Directory.
- 📜 Azure Access Control Service (ACS) is no longer needed; direct authentication through Azure Active Directory and OAuth is sufficient.
- 👤 A global administrator or someone with 'designs.fullcontrol.all' permissions is required to grant 'site.selected' permissions to a target site.
- 📊 The permissions can be configured as read-only, write, manage, or full control, providing flexibility in access control.
- 📝 Azure Active Directory applications can be registered with certificate authentication and client secrets for secure access.
- 📜 Certificates for authentication can be created using PowerShell cmdlets, with both public and private keys managed separately.
- 🤖 Testing access permissions can be done using .NET Framework applications that attempt to interact with SharePoint Online via Microsoft Graph or the SharePoint REST API.
- 🚫 Access is denied when attempting to interact with a site collection that has not been granted permissions, demonstrating the effectiveness of the 'site.selected' permission.
- 🗑 Permissions can be revoked using PowerShell cmdlets, allowing for dynamic management of access rights.
Q & A
What is the purpose of the 'site.*selected' permission in SharePoint Online and Microsoft Graph?
-The 'site.*selected' permission is used to restrict a set of permissions to a specific site or set of site collections in SharePoint Online and Microsoft Graph, rather than granting access to the entire tenant.
Why is certificate authentication required for SharePoint Online with application-only tokens?
-Certificate authentication is required for SharePoint Online when using application-only tokens because it provides a secure way to authenticate against Azure Active Directory without relying on user credentials.
How can you configure the 'site.*selected' permission for a specific site collection?
-You can configure the 'site.*selected' permission for a specific site collection by using either Microsoft Graph API or PowerShell, specifically the PnP (Patterns and Practices) PowerShell cmdlets.
What are the steps to create a certificate for certificate authentication?
-To create a certificate for certificate authentication, you can use the PnP PowerShell cmdlets to generate a certificate, save it as a PFX file with a private key, and as a .cer file with just the public key. You also need to specify a password for the certificate.
How can you grant the 'site.*selected' permission to a specific site collection using PowerShell?
-You can grant the 'site.*selected' permission to a specific site collection using the 'Grant-PnPAzureADSitePermission' PowerShell cmdlet, providing the application ID, display name, target URL of the site, and the desired permission level.
What is the difference between using Microsoft Graph and SharePoint REST API for accessing SharePoint Online?
-Microsoft Graph is a unified API endpoint that provides access to various Microsoft services including SharePoint Online, while the SharePoint REST API is specifically designed for SharePoint Online. Both can be used to access and manipulate SharePoint resources, but Microsoft Graph offers a broader range of services.
How can you test the permissions granted to an application in SharePoint Online?
-You can test the permissions by attempting to perform actions on the SharePoint site, such as creating a list. If the action is successful, it indicates that the permissions are correctly granted. If not, it will result in an access denied error.
What is the role of a global administrator in granting the 'site.*selected' permission?
-A global administrator or someone with 'designs.fullcontrol.all' permission is required to grant the 'site.*selected' permission to the target site collection, ensuring that the permission is correctly assigned and secure.
How can you revoke the 'site.*selected' permission that was granted to an application?
-You can revoke the 'site.*selected' permission using the 'Revoke-PnPAzureADSitePermission' PowerShell cmdlet, providing the permission ID to remove the permission and revoke the grant.
What are the benefits of using resource-specific consent in Azure Active Directory?
-Resource-specific consent allows you to target specific resources with application permissions, enhancing security by limiting the scope of access and reducing the need for broad permissions like 'site.fullcontrol.all'.
Outlines
🔒 Resource-Specific Consent in SharePoint Online
This paragraph discusses the concept of resource-specific consent in SharePoint Online and Microsoft Graph. It explains how to configure application permissions for a specific site or set of site collections, rather than the entire tenant, using the 'site.selected' permission. The speaker illustrates how this can be done without relying on Azure ACS, by directly using Azure Active Directory and Open Authorization. The process requires a global administrator or someone with 'designs.fullcontrol.all' permissions to grant the selected permission to the target site. The paragraph also covers how to grant permissions using Microsoft Graph and PowerShell, and the different levels of access that can be configured: read-only, write, manage, or full control.
🛠 Granting and Testing Permissions with PowerShell
The second paragraph delves into the technical process of granting permissions to an application using PowerShell. It explains how to connect to a specific site collection and grant permissions to an application with the 'site.selected' permission. The speaker demonstrates how to use the 'Grant-PnPAzureADSitePermission' PowerShell cmdlet to assign permissions and how to update them with 'Set-PnPAzureADSitePermission'. The paragraph also includes a practical test of these permissions using a .NET Framework console application, which attempts to access and manipulate SharePoint Online sites with and without the granted permissions. The results of these tests are expected to show access granted to the site with permissions and access denied for the site without permissions.
📝 Revoking Permissions and Additional Resources
The final paragraph wraps up the discussion by showing how to revoke permissions using the 'Revoke-PnPAzureADSitePermission' cmdlet in PowerShell. It emphasizes the powerful capability of targeting specific site collections with application-only permissions without needing the broad 'site.fullcontrol.all' permissions. The speaker also points out the successful creation of lists in the site with granted permissions and the inability to do so in the site without permissions. Lastly, the paragraph provides additional links for further exploration of the topic and concludes with a thank you note to the viewers.
Mindmap
Keywords
💡SharePoint Online
💡Microsoft Graph
💡Application Permission
💡Certificate Authentication
💡Azure Active Directory
💡OAuth
💡Site Collection
💡PnP PowerShell
💡Resource-Specific Consent
💡API
💡Client Secret
Highlights
Introduction to SharePoint Online and Microsoft Graph with specific consent permissions for application-level access control.
Explanation of using site-scoped permissions to restrict access to specific sites or site collections instead of the entire tenant.
How to configure site-scoped permissions for Microsoft Graph and SharePoint Online using Azure Active Directory.
The requirement of a global administrator or someone with 'designs.fullcontrol.all' permission to grant site-scoped permissions.
Demonstration of granting site-scoped permissions using Microsoft Graph API and PowerShell.
Creating a certificate for certificate authentication in Azure Active Directory using PowerShell cmdlets.
Uploading the public key (.cer file) of the certificate to Azure Active Directory for authentication.
Using the PM PowerShell cmdlet to connect to a SharePoint Online site and grant permissions to an application.
Testing application permissions by attempting to access and manipulate SharePoint Online sites with and without granted permissions.
Differences in behavior when accessing SharePoint Online with and without the required permissions.
Using .NET Framework console applications to test access to SharePoint Online sites with different permissions.
Code walkthrough of consuming SharePoint Online sites via Microsoft Graph SDK with client secret credentials.
Code walkthrough of consuming SharePoint Online sites via CSOM with certificate-based authentication.
Observing the outcome of list creation attempts in SharePoint Online with and without the necessary permissions.
Revoking previously granted permissions using PowerShell to demonstrate dynamic access control.
Practical application of site-scoped permissions to enhance security and control in SharePoint Online environments.
Additional resources and links for further exploration of the discussed topics.
Conclusion and thanks for watching the video on SharePoint Online and Microsoft Graph permissions.
Transcripts
foreign
specific consent permission for
SharePoint online and Microsoft graph
initial active directory we have an
application permission called site dot
selected that we can configure for
micrograph and SharePoint online and
when you do that for SharePoint online
you need to get an access token with a
certificate authentication against Azure
active directory this permission for
application is really useful whenever
you want to have a set of permissions
restricted to a specific site or set of
site Collections and not to the whole
tenant just to make an example it is
something like what you used to do with
the Azure access cardboard service when
you registered an application in a Dean
built with initial pointed in model just
with permissions for a specific site
collection nowadays we decide dot
selected permission you can do the same
without relying to Azure ACS but just
relying on each directly directory and
open authorization and you don't need
anymore to provide the
size.fullcontrol.all permission to your
Azure active directory registered
applications in order to being able to
have access to a specific set collection
with the elevated privileges whenever
you do that you will require a global
administrator or someone with
designs.fullcontrol.all or an
application with those permissions to
Grant the selected permission to the
Target site indeed that the requirement
otherwise it would be an hack so
when you use the
scithe.selected permissions you need to
Grant those permissions to a specific
Target site collection either using a
micrographing point or using PMP
Powershell then you can simply use
system or SPO rest and you can consume
SharePoint and why consuming SharePoint
you can configure the selected
permission as read only write manage or
full control
this is a really powerful capability and
let's move to the domain variant to see
how to use it in practice
in Azure active directory I registered
an application in order to show you how
the resource specific consent works this
application is configured with
certificate authentication as well as
with client secret I have configured
certificate authentication because as
already said from a SharePoint online
point of view if you want to consume
SharePoint online with application only
token you need to authenticate using an
x509 certificate while decline secret
can be used the one you want to rely on
Microsoft graph in the API permission
section for this application I simply
have the size.selected application
permission for graph and decide the
selected application permission for
SharePoint and you can find them by
clicking on micrograph application
permission and then you search for sites
and you will find site dot selected and
the same applies a for SharePoint so
first of all how can you create a
certificate for certificate
authentication well you can rely on
the PMP Powershell commandlets and you
can use the new PMP Azure certificate
which allows you to create a certificate
to save the certificate as a pfx with
private key and as a DOT Sir with just
the public key and you can specify a
password for your certificate so by
doing that you will get back a
certificate that you can upload from
right here you click on certificate you
upload the public key so the dot sir
file and you are done and then of course
you will also have to store in a safe
place the private key of your
certificate so now let's say that we
want to use this application to access a
Target site collection with a selected
permission so I don't want to give the
permission to see all of the site
collection to this application but I
simply want to Target a specific set
collection or a specific set of site
collections so here I have in SharePoint
online one set collection which is
called the site selected granted site
and another one which is the site
selected not granted site what I'm going
to do here
in the graph Explorer is to show you
that right now from a permissions point
of view in this target site I will query
the permissions and I don't have any
specific permission assigned to this set
collection this is the endpoint that you
can use in micrograph to read or assign
permissions to an app whenever we have
as the size dot selected application
permission granted so now I want to use
the PMP Powershell command lens to
connect to the site selected granted
site and to Grant a specific permission
to my application so first of all I will
connect to the Target side let's do that
run selection and now I'm connected if I
will do a get PMP Azure ID upside
permissions we can see that right now as
like as it was with graph Explorer we
don't have any permission specific
permission granted to any application
but by using the grand PMP Azure ID up
site permission commandlet providing the
ID of the application that we have in
Azure active directory so this is the
application ID that we have right here
and by
providing a display name for this
permission Grant the target URL of the
site and a permission that we want to
provide for example the right permission
we will be able to Grant to that
application so let me run the selection
again we will be able to Grant to that
application a specific permission this
will be the unique ID of the permission
that was granted to my application and
if now I will make one more time a get
of the permissions we can see that now
we have one permission now you can also
use the set PMP Azure ID upside
permission providing the unique ID of
the permission that you want to update
and providing the new permission which
can even be full control so if I will do
that f8 to run the selection I now Grant
it full control compare with the right
permission that I granted initially now
my application can only have full
control targeting this specific selected
site collection if I will Target any
other set collection my application will
not have any access permission okay so
how can we test it well however
an application based on.net framework
through which we can try to access a
Target site collection and right here
this is a console application with
dependency injection in place I have a
consume SPO selected site via graph
which I will try to use targeting a site
where I have granted the permission and
which I will try targeting a site where
I have not granted the permissions to
see how the behavior will change and we
do the same with SharePoint online via
season instead of graph so that you can
also see how it behaves when you use
season so the consume SPO selective site
via graph is a really simple method we
can dig into it so we can see what's
inside of it and we can see that we
simply use
a client's secret credential object to
authenticate with Microsoft graph SDK to
get access to the site that we have in
Target so we say graph client dot size
and we get a site by path and we try to
create a new list in the Target site you
see we create a new list object of
micrograph SDK and then we add
asynchronously the new list and of
course if we can successfully at the
list it means that we have proper
permissions if not it means that we are
not granted the permission to work
targeting that site and the same logic
but with season is in the consumers peer
selected site by a season where we get
through the PMP framework Library the
authentication manager and we use the
create with certificate method of the
authentication manager of PMP framework
to get a season client context for
providing the x509 certificate to
authenticate against Azure ID and then
we see if the current user is an admin
or not just for the sake of it and then
we try to create a new instance of a
list still using season as like as we
did with graph but now using system and
we execute the query and again if it
will be successfully created it means
that we have proper permissions if not
we will get a failure and we will see
what the behavior will be so let me
execute this application now that we
have the permissions granted to the
first side that I showed you so Ctrl F5
this is the console application running
as you can see here I start the
application I start consuming the site
selected granted site with selected
permission via micrograph and I can
successfully add a list to the site and
we will see the list shortly then when
we try to do the same with the site
selected not granted site we will get an
access denied because the current
application does not have access to the
site not granted side
and the same applies for season so when
we try to use season to create a list
that we successfully do that targeting
the site where we have got the
permissions granted and we fail and we
cannot create the list in the other side
and we get an attempt to perform in an
authorized operation if I will go back
to my SharePoint site we can go to site
contents and we can see that right here
we have the generated via micrograph and
degenerative biasism lists in this site
selected with granted permissions while
in the site contents of this site we
don't have any list because we were not
able to create such a content of course
if you want to later on get rid of the
permissions you can also use the revoke
PMP Azure ID up site permissions
providing the permission ID and you will
be able to remove the permission and
revoke the grind this is a really
powerful capability because you will be
able to Target just specific site
collector with application only without
the need to have any more decide dot
full control dot all permission that we
used to use in the past in application
only to consume SharePoint online size
here you can see additional links if you
want to dig into the topic covered and
like always thank you for watching this
video
foreign
تصفح المزيد من مقاطع الفيديو ذات الصلة
Upgrading SharePoint apps from Azure Access Control service to Azure Active Directory
Microsoft Graph | Powershell Script from Scratch
Creating custom copilot with Copilot Studio based on your files in SharePoint
Azure DevOps Workload Identity Federation with Azure Overview. NO MORE SECRETS!
Service accounts, IAM roles, and API scopes
What is Biometric | How Biometric Works | What is Biometric System | what is biometric in hindi
5.0 / 5 (0 votes)