Are there security issues with Microsoft365R's requested permissions?

[mm225022]

There have been concerns about providing me with access because “the integration set up full read/write access to all SharePoint sites in the [corporate] tenant and there was not a way to limit that access.“

Is there anyway within the package to limit access?

I did see the following for Python - https://www.dataandstuff.co.uk/post/interacting-with-sharepoint-online-documents-using-python.

Can something like this be worked on?

[hongooi73]

Hi, the only permissions that the app has are delegated permissions. That means the only things you can do with the package are things that your account would normally be allowed to do anyway.

Basically, to carry out an action X, the package must have permission X and your account must have the appropriate role that allows X. See here: https://docs.microsoft.com/en-us/graph/auth/auth-concepts#microsoft-graph-permissions

For delegated permissions, the effective permissions of your app will be the intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user can be determined by policy or by membership in one or more administrator roles. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

The opposite of this is application permissions, where having permission X is all that is necessary to carry out an action (this is likely what your IT people are concerned about). Microsoft365R doesn't require, or request, any of these.

[mm225022]

Thanks, this is very helpful. Bottom line, I can only get to sites that I can currently get to by physically going to the SharePoint site and any sites that I currently can't get to by physically going to the SharePoint site, I won't be able to get to with the app.
Thanks!

[hongooi73]

Yes, that's correct. Your Python link is using a limited set of application permissions to work with Sharepoint, which is another way to keep things secure. Personally I think this is not so good, because it means you lose track of who is making changes to documents -- what will be recorded is the app/service principal ID, not a username. But from a security standpoint, it does the job.

[mm225022]

Excellent. Thank you very much. I am happy to close the issue unless you have a need for it to remain open.

[hongooi73]

No worries. I've actually pinned it to the top, as it's a question that I'm sure others will have.