Microsoft Graph “Sites.Selected” permissions within SharePoint Online

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] i am going to talk focus only on the site selected ms croft site selector permission and that is what i am going to talk about just just a little bit about me i work as a senior consultant in modern work domain in microsoft and my expertise is a design architect development and azure and i'm a big fan of this community i attend this community many times and and i have a lot of my fans here i'm a big fan of a few of the presenters here so so what is access control system so basically what this agenda is about accessing sharepoint content or sharepoint list or libraries using headless account what we have used in past and what my customer has used in past is access control system which is retired and i will point to the west as blog post as well the retirement was it in 2018 and the better way to do this is using the site selected miscrop permission prior to site selected we used to give full permission which was not a good thing to have have because then that particular app has access to everything but site selected allows you to do the granularity when i did that i explained them my customer about the site selected how it works uh they said it's a lot of work for the admins so i have proposed to them some proof of concept on automating and governing this as using the tracker uh this particular site selected and that is what i'm going to show so these are my three points and i'll demo it uh and if you are not aware this is this is a slide here this is this this group is a sharepoint group we used to do approach new app revenue and then you select the client id and client secret and then you provide the access to site or web or a list using app inv and there is a special xml file i'm not going to get into details of that but this is retired it is working as if now it is working and it will work there is no thing mentioned that it will not work for now but the better or recommended approach is using the sites selected so what was my customer need was that they needed a site under around 200 sites access using client id and client secret which would have made things worse because they would have to create one-on-one acs app and client secret for entire all these site collections and that is not a good thing to do so the better approach would be to use the site selector and what site selector does is it allows application to access subset of sites and site collection uh without signed in user as i said it's without any logged in user so that's that's the that is what is required and uh in the in the graph api call you have the api's rest api as shown in the screen right now but what i have used is i've used the pnp powershell commands and that in turn called the similar rest api which is shown here and it is showing only the current operation but it's only the create operation but there is read and write operations as well and and list operations so that is get and put right so that all this thing is already uh coded in the pnp powershell so i have used that uh to show them how to use this particular permission so to use this permission you will need two azure id app one azure id app will be sites.fullcontrol.all and this particular azure id app will be only allowed by the admins to provide the granular permission using the second app so there will be two apps the client who are going to write program against will be using the second azure area and that azure id app will be either allowed one or many site collection and it can be read or write so there are the two grant permission you can provide and my demo will not be any ui or anything just the powershell commands in that powershell command what i have to do is using the uh using the connect pnp online using the first azure id app which is the admin app i would connect and then after that i would create grand pnp azure id app permission app site permission call and that will allow me to add a write or a read permission for a site which is applied so i would add if it is 200 sites i would run 200 times grant permission for write and that particular azure edu app will have only 200 sites access not entire time that's the beauty of this particular permission now i am going to share what i have here is on my demo tenant i already have azure id app which is the first app i talked about called admin app and this admin app has this permission as i said in the slide deck it has an site select sites dot full control all so this is required and this particular app will be only accessible by admins who will be providing access using the sites for the site selected and i've used the best practices way basically i've created a a certificate rather than client secret uh i it was just a test but i'm using the certificate and using certificate i will get an access token and then after getting the access token i will add a permission for a site for this particular tenant at a test site to read list or write into the library and then the second app which i have taken second app i have is the app which is the app the client will use the programmer will user developer will use you do not want to share with them them the admin app but you share them the client app and that client app as i said in the slide that will have api permission for site selected i have provided for both sharepoint as well as graph because sometimes pnp uses sharepoint api sometimes uses graph api so i just gave them both of them and this is what i would add now let's assume that this is the app which we want to use to connect first and i still have time for finishing my demo uh so i am going to connect to this app which basically gave me the connection right i and then i am going to say hey get me on the list of this app and as you can see this particular app id having this app id and secret or your secret rs or a pfx file doesn't give you automatically permission to that particular app or you cannot just immediately access that particular site admin has to do one more extra step and that is where i am here on the admin script in the admin script i'm connecting using the admin app id and obviously i have password and which is hidden somewhere down on the right side but what i'm going to do is i'm going to run this and connect to the admin app okay after connecting to admin app i have some of the power shell commands pnp powershell commands which is i just did the gcn on it and those gcn is showing me get grant revoke and set obviously grant is post call get is the list call and the revoke is the delete call and the set is the put call or update call in the ms crop point of view if you see the documentation that's what behind the scene uh this particular pnp powershell commands does so what i'm going to do here i just did the i just did the connection to the admin id app and then i'm going to say uh okay then i'm going to initialize some client variable i did not do so so let me initialize that and then now i'll say hey get me all the permission for the site called test one and for this particular client app id and as i as you can see here i have none i have not granted anything yet so i'm going to say hey grant this permission and when it is granting the permission it is giving the permission for the lead as you can see here so now if i go back to my client demo and i will connect to client again and just because the context has switched down me so now i connected so what happened here is i connected the client id and now i will say hey get me all the list within that particular site collection and i do get that but let's try adding something into it and when i try to add it the granular permission is such that i just said hey it's only read permission this is access denied so if your customer or if your developers want that right permission what you would do is again i have to do this thing for the demo purpose i have to connect to the pnp online connect pnp online because my contacts switched and i i probably have the same variables i just apply anyway and i will say get this permission and when i get this permission i get this permission object as you can see here this is the permission object it has a role which is not showing i think it's a bug in the pnp or i don't know where it is but maybe it is a graph but this is the app which is having an access now instead of granting the permission as a read what i'm going to say hey now make change to from read to right so that's what i'm going to run and when i run that i do get that object again and roll is showing me as right once that is done what i can do i can go to demo script again and i say connect pnp online and let's see my get call works that will work because it's just right now it is and now we will try to write something into the list and when i write to the list and a list is called test1 and the site is also called plus one so i should have something in the list so that is what i just added seven seven yesterday i was testing something so that is uh that is that now for some reason you want to have that particular uh permission taken away the last thing is i would do uh what i would do is just go into the admin app again and and then run this thing again and i will say get me the permission i got the permission object then i will say revoke this permission so having now uh app id and app secret for the client for the developer this is revoking the permission right so now we are back to square one when we started this but wait a minute so off after all this demonstration uh admin admins were saying there is too much work for them if they want to do 2000 sites what happens then so that's where i have written the blog post and you should be able to see my blog post in the blog post one i have i just demonstrated what i was just demonstrating about all the demo scripts it is right here and then my blog post tool is where i have defined architecture where you have a tracker the tracker is tracking about all your apps and what kind of sites you are giving permission to there is a logic app which is always listening to this particular tracker app once that particular logic app defines what what this particular user wants to do whether you want to give a read or write access or grant or revoke and accordingly azure function will do the job for you for that particular admin and they can do so so now let's let's do the same thing what i've did with with that so i'm going to provide this particular list as an item saying here let me go and click the list site name so site url so i'll provide the site url and then app id and this particular app id is basically a lookup list and i'm providing an app id and i'm saying i want to provide a read access let's let's provide the right access right away and i want to grant first time and what happens here is behind the scene the logic app is working here and logic app is going to pick it up every one minute this logic app is working and it will pick it up in us in a minute and there is a azure function behind the scene and i will show the code and the code is also shared on my blog post if you go to my blog first it is there so what i'm going to do here is i'm going to click on this logs so you will see the logs what is happening here and it should be running now in a minute it takes 30 seconds or so so okay come on okay it should be there it is so it started ready what it did it item added all right to modify event it picked up and then what it does is it formulates the json input information for the azure function what azure function does and this is this is the similar uh where it is okay there it is so this is the json object it creates whether you want to revoke or whether you want to write or read operation and which site url and what is the client id that is passed and that is passed through that particular list and if i go to here as you can see this particular azure function ran when i was sharing other screen and it did the thing which i did show you in the powershell ise so live we revoke that permission if you remember right so what i did i revoked the permission now let's see whether it has the right permission or not so hopefully i'll go to demo client and then i'll connect to the client okay i connect to the client and then i say hey let me see so i'm back again and i am able to uh add this so now what the point i'm trying to make here is now if i want to have more sites or more sites for this particular app id i can keep on adding that without writing this function and on top of that if i want to say revoke a permission for a particular site for this particular app all they have to do is click on it and just say revoke and the function behind the scene the function will revoke it as well as uh it as well as it will revoke and it will uh delete an entry from here so for example if i have let's say 200 sites here and i just wanted to remove one side and revoke that permission for that particular site i can do so and that will be done in a minute so let me refresh the screen again let's go to run history again and refresh so there is a timer for one minute uh and it just item modified event comes in and it changes it so let let me while that is doing uh i am going to just walk through the function uh logic app here which is very simple uh i'm just checking whether uh grant or revoke i need to do or i need to read or write accordingly i will formulate a json object right so i'm just doing that i'm checking and after checking that i in the body function i create an action whether it is a read sorry grant or revoke the client app id is already passed to me in the in the item itself uh display name of the app is plus password me and then read or write is passed to me and site url is also passed to me and i have one more minute i think and i think i should be that particular thing should be revoked now so if i go back here and here so as you can see this permission is now revoked so if i go back to the function app and now i do click on it and then i say get me the list it will say 403 so that is what revoked and and the engine just last last point engine is very simple very simple it just it just does the if condition if it's just the path of revoke and revoke and grant and if it is already granted if it is read then do the right if our user has asked for right and things like that says very simple code but that's pretty much it from my side back to you david awesome thank you pankaj that's really really innovative the way you set that up [Music] you

Info

Channel: Microsoft Community Learning

Views: 8,698

Rating: undefined out of 5

Keywords: SharePoint, PnP, Dev, community, open-source, Microsoft, Teams, Microsoft Graph

Id: pPfxHvugnTA

Channel Id: undefined

Length: 18min 29sec (1109 seconds)

Published: Wed Aug 03 2022