Grant Identities permission only to a Particular sharepoint drive/document library and not at the site level

Question

I am handling SharePoint granular permission using the sites.Selected the scope option and granted the application access/role via graph API permission. It is working fine, If the app needs to work with all the available Lists/Drives with the site.

For ex. https://graph.microsoft.com/v1.0/sites/{site-Id}/Permissions and passing the below payload.

{
    "roles": [
        "write"
    ],
    "grantedToIdentitiesV2": [
        {
            "application": {
                "id": << App Id >>
                "displayName": "TestDaemonGraphAPI"
            }
        }
    ]
}

However, I have a couple of drive/document libraries where the access needs to be restricted for the App. Since I am setting permission at the site level, it allows access to all the drives.

How can we allow access at only Drive/library level using graph api?

Update: I've tried granting permission at the Drive level, it was failing. Error Detail

kavyaS · Answer 1 · 2023-02-24T14:02:14.430

As you can restrict which Site collections or drives can be accessed, first give Sites.Seletced permissions which restricts for only sites as you have already set.

Get all the ID of drive and select the Drive Id of the drives or document library that you want to restrict access to:

GET https://graph.microsoft.com/v1.0/sites/{site-id}/drives

Then create a role specific to drive , and select only app that can have access to

POST https://graph.microsoft.com/v1.0/drives/{drive-id}/permissions

{
    "roles": ["write"],
    "grantedToIdentitiesV2": [
        {
            "application": {
                "id": "{appid}"
            }
        }
    ]
}

And then delete the site permissions

DELETE https://graph.microsoft.com/v1.0/sites/{site-id}/permissions/{permission-id}

Check if this will restrict access to only that particular drive. I couldn't check this as I can't access as office365 license is needed.

Reference:

Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph - Microsoft 365 Developer Blog

or

You can check this way of breaking permissions with unique permissions by inviting only few users Customize permissions for a SharePoint list or library - Microsoft Support

I've tried this earlier. I am getting the below error while setting permission at the drive level. POST https://graph.microsoft.com/v1.0/drives/{drive-id}/permissions "error": { "code": "BadRequest", "message": "Resource not found for the segment 'permissions'.", "innerError": { "date": "2023-02-24T16:40:28", "request-id": "89b36721-e774-4310-8303-85f8bc06481c", "client-request-id": "8608f3eb-bf53-da65-f114-0e4c64de89b0" } } } — Ramesh Chinnappan, Feb 24 '23 at 16:45
okay,Have you got to check [this](https://support.microsoft.com/en-us/office/customize-permissions-for-a-sharepoint-list-or-library-02d770f3-59eb-4910-a608-5f84cc297782) — kavyaS, Feb 27 '23 at 03:55
Thanks, Kavya. Let me verify whether this works with the Managed identity/app Id — Ramesh Chinnappan, Mar 01 '23 at 17:34

Grant Identities permission only to a Particular sharepoint drive/document library and not at the site level

1 Answers1