How to restrict SharePoint Rest API access to only a specific site's list?

Question

I have followed a tutorial to setup a SharePoint Rest API : Link to the tutorial

With my generated client i am trying to get a list's items and posting new items to an existing list. It is working flawlessly from postman however i realised i have access to every SharePoint site in my tenant. After i registered a client on the appregnew.aspx page, i granted Right="FullControl" access on appinv.aspx in the permission XML box. I am pretty sure this is the problem and somehow i have to write a proper script here to grant only access to a specific site's list. The first thing i don't understand what why i am generating the client on appregnew for a specific site if in reality it is not only generated for that specific site. Secondly i have not found any tutorial for the permission xml for specific restrictions, only this:

Full Control - Has full control - User can make any call under end point "_api/web"

Edit - Can add, edit and delete lists; can view, add, update and delete list items and documents. - User Can do any operation on list and list items and end point would be "_api/web/Lists"

Read - Can view pages and list items and download documents. - User can do Get operations on list items and end point would be "_api/web/Lists/getByTitle('')/Item

I tried Edit/Write in the permission xml but i still have access to every site in my tenant.

Can you please help me with a sample XML restricting access to a specific site and that site's list.

Answer 1

So you're using the legacy SharePoint Add-In system :) So do I, but a new system has been created. I will first answer your questions, then talk about the new system.

The appregnew.aspx actually create a new Azure AD Application (equivalent to a new App Registration in the AAD Portal), so the page where you create your app clearly doesn't matter. It automatically creates a secret that will expire after one year (I think its one, it may be two, but it will expire). This app exists outside of SharePoint, and for now still doesn't have any rights.

The appinv.aspx page allows you to authorize an AAD Application (created through appregnew.aspx but not necessarily) on the site you're on, given the specific XML you input. So if you go on your central administration, it will authorize on the whole tenant. If you go on a specific site, it will authorize only on this site. If you change the XML, you may give rights only on a specific list.

Page for authorization on tenant: https://<tenant>-admin.sharepoint.com/_layouts/15/appinv.aspx

Page for authorization on a site: https://<tenant>.sharepoint.com/sites/<site>/_layouts/15/appinv.aspx

The most wonderful site to always have when you want to know which XML to give: https://medium.com/ng-sp/sharepoint-add-in-permission-xml-cheat-sheet-64b87d8d7600

For a library on a site in read-only (never replace the generic URLs in the XMl):

<AppPermissionRequests AllowAppOnlyPolicy="true">  
   <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" 
    Right="Read" />
</AppPermissionRequests>

Now this whole system is actually quite obsolete, and has been for a long time. The reason it is used is because this was the only way for an application to leverage the SharePoint REST APIs without giving authorization on the whole tenant, as authorization an AAD Application in the AAD Portal only allowed rights like Sites.Read.All, Sites.FullControl.All, ... (keep in mind we're talking about Application Only rights, not Delegated)

Moreover, this system only works with Client Secret authentication, while the official one only works with Client Certificate authentication (still talking about Application Only rights).

However, a new right has been available in the portal: Sites.Selected. It actually allows to select which sites to authorize your application on, giving about the same functionality as the legacy system. However, to select the sites or the rights to give, you have to use the Microsoft Graph API. I have not yet used it myself, so you will have to go through the official Microsoft Documentation to try and use that. Keep in mind you will have to authenticate using a certificate though.