How to granulate application permissions for SharePoint?
In this article how to granulate the permissions for specific SharePoint sites while using Integration Service connections and/or the Classic Office 365 Scope is described.
In order to allow UiPath access to Office 365 resources, configure an App Registration with specific settings and permissions, which implies different security settings based on the scenario.
Granulating the permissions can be done for both Delegated and Application permissions.
For a better understanding of the differences between Delegated and Application permissions, it is recommended to read the following Introduction to permissions and consent documentation.
Approach #1: Using Delegated Permissions
In this access scenario the client application (App Registration) accesses the resource on behalf of the user. Both the client and the user must be authorized separately to make the request.
- For the client app, the correct delegated permissions must be granted. Those permissions represent what a client application can access on behalf of the user.
- For the user, the authorization relies on the privileges that the user has been granted for them to access the resource. Eg. if he has been added and provided permissions to a specific SharePoint Site or SharePoint resource.
The permissions have to match in order to work. E.g. If the user has Read and Write permissions, the App should also have Sites.ReadWrite.All.
Note: Using this method the user can only see the Sites he has access to.
This permission type is required for Integration Services connection, but also works for Office 365 Scope.
Approach 2: Using Application Permissions
In some scenarios, due to the security settings of the organization, admins are forced to use Application Permissions. However, these permissions apply to all resources, unless they are being granulated.
For SharePoint, there is an Application Permission called "Sites.Selected", which allows to add Read and/or Write permissions to specific sites, while restricting the others.
This permission requires some minimal set-up. Below articles describe how to use this permissions:
- How to use Microsoft graph SharePoint Sites.Selected application permission in a Azure AD application for more granular control?
- Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph (Microsoft Blog)
- Updates on controlling app specific access on specific SharePoint sites (Sites.Selected)
These are the only permissions that needs to be assigned and configured, SharePoint wise. This permission only works for Office 365 Scope authentication.
If still issues are encountered after this set-up, check the Office 365 General Troubleshooting Guide.