Understanding Resource Specific Consent for Microsoft Graph and SharePoint Online

00:00

foreign

00:09

specific consent permission for

00:12

SharePoint online and Microsoft graph

00:15

initial active directory we have an

00:17

application permission called site dot

00:20

selected that we can configure for

00:23

micrograph and SharePoint online and

00:25

when you do that for SharePoint online

00:27

you need to get an access token with a

00:30

certificate authentication against Azure

00:33

active directory this permission for

00:36

application is really useful whenever

00:39

you want to have a set of permissions

00:42

restricted to a specific site or set of

00:46

site Collections and not to the whole

00:48

tenant just to make an example it is

00:51

something like what you used to do with

00:53

the Azure access cardboard service when

00:56

you registered an application in a Dean

00:59

built with initial pointed in model just

01:01

with permissions for a specific site

01:04

collection nowadays we decide dot

01:07

selected permission you can do the same

01:09

without relying to Azure ACS but just

01:14

relying on each directly directory and

01:16

open authorization and you don't need

01:19

anymore to provide the

01:22

size.fullcontrol.all permission to your

01:24

Azure active directory registered

01:26

applications in order to being able to

01:28

have access to a specific set collection

01:31

with the elevated privileges whenever

01:35

you do that you will require a global

01:38

administrator or someone with

01:42

designs.fullcontrol.all or an

01:43

application with those permissions to

01:46

Grant the selected permission to the

01:47

Target site indeed that the requirement

01:50

otherwise it would be an hack so

01:54

when you use the

01:57

scithe.selected permissions you need to

01:59

Grant those permissions to a specific

02:01

Target site collection either using a

02:04

micrographing point or using PMP

02:07

Powershell then you can simply use

02:10

system or SPO rest and you can consume

02:15

SharePoint and why consuming SharePoint

02:18

you can configure the selected

02:20

permission as read only write manage or

02:25

full control

02:26

this is a really powerful capability and

02:30

let's move to the domain variant to see

02:32

how to use it in practice

02:36

in Azure active directory I registered

02:38

an application in order to show you how

02:40

the resource specific consent works this

02:44

application is configured with

02:46

certificate authentication as well as

02:49

with client secret I have configured

02:53

certificate authentication because as

02:54

already said from a SharePoint online

02:57

point of view if you want to consume

02:59

SharePoint online with application only

03:02

token you need to authenticate using an

03:05

x509 certificate while decline secret

03:08

can be used the one you want to rely on

03:12

Microsoft graph in the API permission

03:14

section for this application I simply

03:17

have the size.selected application

03:19

permission for graph and decide the

03:22

selected application permission for

03:24

SharePoint and you can find them by

03:25

clicking on micrograph application

03:27

permission and then you search for sites

03:31

and you will find site dot selected and

03:34

the same applies a for SharePoint so

03:37

first of all how can you create a

03:39

certificate for certificate

03:40

authentication well you can rely on

03:43

the PMP Powershell commandlets and you

03:47

can use the new PMP Azure certificate

03:49

which allows you to create a certificate

03:52

to save the certificate as a pfx with

03:55

private key and as a DOT Sir with just

03:57

the public key and you can specify a

04:00

password for your certificate so by

04:02

doing that you will get back a

04:03

certificate that you can upload from

04:05

right here you click on certificate you

04:07

upload the public key so the dot sir

04:10

file and you are done and then of course

04:12

you will also have to store in a safe

04:14

place the private key of your

04:16

certificate so now let's say that we

04:18

want to use this application to access a

04:21

Target site collection with a selected

04:24

permission so I don't want to give the

04:27

permission to see all of the site

04:29

collection to this application but I

04:31

simply want to Target a specific set

04:33

collection or a specific set of site

04:35

collections so here I have in SharePoint

04:38

online one set collection which is

04:40

called the site selected granted site

04:43

and another one which is the site

04:45

selected not granted site what I'm going

04:48

to do here

04:49

in the graph Explorer is to show you

04:52

that right now from a permissions point

04:55

of view in this target site I will query

04:58

the permissions and I don't have any

05:00

specific permission assigned to this set

05:03

collection this is the endpoint that you

05:06

can use in micrograph to read or assign

05:09

permissions to an app whenever we have

05:12

as the size dot selected application

05:15

permission granted so now I want to use

05:19

the PMP Powershell command lens to

05:22

connect to the site selected granted

05:24

site and to Grant a specific permission

05:27

to my application so first of all I will

05:31

connect to the Target side let's do that

05:34

run selection and now I'm connected if I

05:37

will do a get PMP Azure ID upside

05:40

permissions we can see that right now as

05:43

like as it was with graph Explorer we

05:45

don't have any permission specific

05:48

permission granted to any application

05:50

but by using the grand PMP Azure ID up

05:55

site permission commandlet providing the

05:58

ID of the application that we have in

06:01

Azure active directory so this is the

06:05

application ID that we have right here

06:07

and by

06:09

providing a display name for this

06:12

permission Grant the target URL of the

06:15

site and a permission that we want to

06:17

provide for example the right permission

06:19

we will be able to Grant to that

06:21

application so let me run the selection

06:24

again we will be able to Grant to that

06:26

application a specific permission this

06:29

will be the unique ID of the permission

06:32

that was granted to my application and

06:35

if now I will make one more time a get

06:37

of the permissions we can see that now

06:39

we have one permission now you can also

06:43

use the set PMP Azure ID upside

06:46

permission providing the unique ID of

06:48

the permission that you want to update

06:50

and providing the new permission which

06:53

can even be full control so if I will do

06:55

that f8 to run the selection I now Grant

06:59

it full control compare with the right

07:02

permission that I granted initially now

07:05

my application can only have full

07:08

control targeting this specific selected

07:11

site collection if I will Target any

07:13

other set collection my application will

07:15

not have any access permission okay so

07:19

how can we test it well however

07:22

an application based on.net framework

07:26

through which we can try to access a

07:30

Target site collection and right here

07:32

this is a console application with

07:34

dependency injection in place I have a

07:37

consume SPO selected site via graph

07:39

which I will try to use targeting a site

07:42

where I have granted the permission and

07:45

which I will try targeting a site where

07:47

I have not granted the permissions to

07:49

see how the behavior will change and we

07:52

do the same with SharePoint online via

07:55

season instead of graph so that you can

07:58

also see how it behaves when you use

08:00

season so the consume SPO selective site

08:04

via graph is a really simple method we

08:08

can dig into it so we can see what's

08:11

inside of it and we can see that we

08:15

simply use

08:16

a client's secret credential object to

08:20

authenticate with Microsoft graph SDK to

08:24

get access to the site that we have in

08:26

Target so we say graph client dot size

08:31

and we get a site by path and we try to

08:35

create a new list in the Target site you

08:39

see we create a new list object of

08:42

micrograph SDK and then we add

08:43

asynchronously the new list and of

08:45

course if we can successfully at the

08:47

list it means that we have proper

08:49

permissions if not it means that we are

08:51

not granted the permission to work

08:53

targeting that site and the same logic

08:57

but with season is in the consumers peer

09:00

selected site by a season where we get

09:03

through the PMP framework Library the

09:07

authentication manager and we use the

09:09

create with certificate method of the

09:12

authentication manager of PMP framework

09:14

to get a season client context for

09:16

providing the x509 certificate to

09:19

authenticate against Azure ID and then

09:22

we see if the current user is an admin

09:25

or not just for the sake of it and then

09:28

we try to create a new instance of a

09:31

list still using season as like as we

09:33

did with graph but now using system and

09:36

we execute the query and again if it

09:38

will be successfully created it means

09:40

that we have proper permissions if not

09:42

we will get a failure and we will see

09:44

what the behavior will be so let me

09:47

execute this application now that we

09:50

have the permissions granted to the

09:52

first side that I showed you so Ctrl F5

09:55

this is the console application running

09:57

as you can see here I start the

10:00

application I start consuming the site

10:03

selected granted site with selected

10:05

permission via micrograph and I can

10:08

successfully add a list to the site and

10:10

we will see the list shortly then when

10:12

we try to do the same with the site

10:14

selected not granted site we will get an

10:17

access denied because the current

10:19

application does not have access to the

10:21

site not granted side

10:23

and the same applies for season so when

10:26

we try to use season to create a list

10:30

that we successfully do that targeting

10:33

the site where we have got the

10:36

permissions granted and we fail and we

10:39

cannot create the list in the other side

10:42

and we get an attempt to perform in an

10:44

authorized operation if I will go back

10:47

to my SharePoint site we can go to site

10:50

contents and we can see that right here

10:52

we have the generated via micrograph and

10:55

degenerative biasism lists in this site

10:58

selected with granted permissions while

11:00

in the site contents of this site we

11:03

don't have any list because we were not

11:05

able to create such a content of course

11:09

if you want to later on get rid of the

11:12

permissions you can also use the revoke

11:14

PMP Azure ID up site permissions

11:17

providing the permission ID and you will

11:19

be able to remove the permission and

11:21

revoke the grind this is a really

11:23

powerful capability because you will be

11:26

able to Target just specific site

11:29

collector with application only without

11:31

the need to have any more decide dot

11:34

full control dot all permission that we

11:36

used to use in the past in application

11:38

only to consume SharePoint online size

11:42

here you can see additional links if you

11:45

want to dig into the topic covered and

11:48

like always thank you for watching this

11:50

video

11:50

foreign