Expanded Authentication Options for SharePoint Sites.Selected permission

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] uh so what we want to talk about today is uh we're going to talk about sites selected for delegated access um and in the description was mentioned uh app folder for appon Access uh I'm not able to demo the app folder stuff today uh for a few reasons don't worry about that it's coming very very soon um but we're going to look at the site selected for delegated access today so I'm really excited to introduce this capability it's been long asked for and it really helps increase uh the overall security of the service by allowing the site selected access but with the user presence and so that means the app can never do more than the current user can do which uh is a little bit better for security so I want to walk through that real quick and the first thing we're going to look at is just that hey I here have this website and I can access it in SharePoint as my user and that's great the next thing we want to do is set up an application we've all done this before um I'm pretty sure but I'm going to make my test app we're going to do a spa um this doesn't matter because we're not actually going to use this one but we'll just say Local Host we're going to register that application and we're going to get this app ID now I'm going to put a special little link here in the chat if I could find the chat here and so what you're going to see here is so this scope is uh due to timing of course for my demo is not quite uh ready uh it's not available yet in the admin Center but it's coming very very very soon um governed only really now by some rollout schedules so it's coming very very soon but for now I've got this app and one of the things I need to do is under authentication real quick I'm just going to check access tokens and ID tokens please can you can you zoom in a bit because again you you you're doing things in atmin UI and I don't think anybody can of course follow of course I've checked these two boxes here access tokens and ID tokens uh a new feature I'm sure but one of the things I don't have a way to really zoom in on the address bar here but what I can do is let's get a notepad and let's do a zoom in VI zoom in so what we've got just for uh to allow folks to do some temporary testing uh before it is available fully in the admin Center to select is you could use this URL uh which I pasted in the chat which has your tenant ID is this parameter here and then your client ID is the parameter here and you'll see that is the client ID from get back to uh uh I don't know if I can get back to my test app from here I have to Lo zoom out so there we go so my application ID is here and that's uh this 6939 Etc and so if I go back to my window here you can see I've got the ID there response type token and you can see I've put the scope in here as graph. microsoft.com sites. selected and so I'm going to paste that URL into my browser Gandalf bog relationship explained so neat what we can see here and let me try and zoom in some more uh so the permissions requested you've seen this dialogue I imagine a lot but one of the things that's new is you're accessing the selected sites on behalf of the signed in user so this is actually the delegated access we're enabling here uh for this scenario and I'm going to consent to all the apps and I'm going to accept and this URL trick just allows you to do this uh before it is available in uh the service so ignore this this is it trying to redirect to my local host app uh with an access token and so forth um but we're going to kind of skip all this and we're going to use an app I've already created here um just to make things a little bit easier so I'm going to try and switch over to a little bit of demo app I'm going to demo this using a little Library called P&P JS that you might have heard of um and I've set up uh this other client ID which is the one I'd already set up but I would put my client ID that I just set up there uh we're going to use the built-in P&P JS uh Spa testing app and we're going to use this is my uh login Authority tenant there and what I'm trying to do is make a request to this site and if you trust me and I hope you do that URL and let me log in is going to this uh website here so it's it's the site ID for this site collection and if we go over here to the spa and if you'll notice I've got the serve running in the background but if I refresh here you can see access denied and if we do this and go to network try again go to network here we go we're going to go get our bear token here and we're going to go to JWT domms and that just exposes the token but I just want to point out here real quick this is a delegated token we've got user and app in information in this token so this is a delegated token we're trying to use and we're getting access denied so the next step is just to go and we're going to Grant this access here um through graph Explorer and this is exactly like the process for uh first I'm going to do a get uh we can see there's no permissions in the collection um and this is the exact same process for sites selected uh that you're familiar with except uh the app we've created happens to have the delegated scope so there's no difference in this call uh I think that's uh really helpful but you can see I'm just doing the exact same thing I would for site selected application only but for delegated and I'm going to run that query and I get back the stuff I get back and now if we do a get on permissions you'll see my app is listed there as you expect and if I go back to this page I now get data from the site so just that easily uh I'm able to enable the site selected delegated permissions to the site and so that works just like site selected without delegated and just to make sure whoop that's not what I wanted to do just to make sure that there's no tricks up my sleeve I'll show that the token that did work is still a delegated token so it's got the user and the app ID in there and uh that works now to get us access to this site's details on our testing page so you can see the details come back and just as with site selected app only if I get the ID which is very easy to remember string here and I run a delete there you'll see that let me get rid of this and let me go back to get and run that you'll see nothing back in that collection and my test app is back to access denied so working as you would expect so this is a great new capability that will really allow you to uh permission your apps a little more securely uh by limiting both the site uh that the app would have access to as well as not allowing the app to do any more than the current users can excuse me current users can do so this makes things a little bit more secure um in your environment and is a big piece of our journey towards getting uh everything to support application and delegated uh as as much as possible and so as I mentioned uh this very similar thing is coming uh for application for app folders will support application only previously that was delegated only it actually was the other way and then one final note uh for right now and we'll see but these calls um are going to be supported the site selected delegated will be supported through the Microsoft graph only for initial launch um so we're going to look at uh supporting that as a first step and then we'll uh do our best uh to maybe expand that support depending on the feedback we get uh and how things go there so I'm going to glance uh very quickly at the chat to see if there's any uh let's see questions here um I think R of question is related on the context uh of the permissions so for example per folder per list um just to recap on on what you were uh going through uh per folder no so this is site selected still but it is site selected plus user so it is site selected uh delegated mode uh so it is at the site collection level the work we're doing to enable permissioning at lower levels is still in progress uh it's related to this but not the same so that is still coming um but has been delayed slightly from last year so we are still working on that um but so this is all site collection level um will this work with the Microsoft graph search API um not in the way I think you imagine right now today um we had to get this out and now the next step is to work with the search folks uh to consume this permission data site selected works with the search API but you're not going to get per user results uh with site selected at this time so that's work uh we need to to get uh as well in place um so I'm looking back up the question it's delegated permissions uh it's the intersection of permissions between the user and the application and then um uh yeah the same permissions for sites selected are read uh edit or read right and full control and then uh as well we're working on an owner or manage permission uh in there as well and then I think that's all the question from My Demo yep and again K we one more time you just saided it but again for because this is complicated uh quite often uh to understand so basically the new thing here is that the user permissions count so you don't have to gr only app only permissions per site collection now you can say app only permissions plus the user permissions to count so therefore it's more secure um and even though application has been granted high level of permission but as the user permissions do count as well uh even though application has high permission user cannot access information across the boundary exactly right so uh the way to think about that is I could give the application full control to a site collection but if the current user has only read WR or I'm sorry excuse me read access they would only be able to read data not edit anything even though the application could with a user that had full control uh access everything or do [Music] everything [Music]
Info
Channel: Microsoft Community Learning
Views: 836
Rating: undefined out of 5
Keywords: SharePoint, community, open-source, Microsoft, REST, API, Microsoft Graph, permissions, Azure
Id: 9DCKuku_Q2o
Channel Id: undefined
Length: 25min 10sec (1510 seconds)
Published: Fri Apr 05 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.