TABLE OF CONTENTS

• Abstract
• Storage at home
  • Requirements:
• Simple step by step guide
• Detailed explanation of the required permissions
  • Delegated permissions
  • Key Characteristics:
    • Minimal Permissions for Writing Files and Creating Folders in SharePoint
    • Minimal Required Delegated Permissions
    • Why These Permissions?
    • Alternatives (More Restrictive)
• Steps to Assign Permissions
• Using Sites.Selected for Specific SharePoint Sites (Delegated Permissions)
• Overview of Sites.Selected Permission
• Steps to Implement Sites.Selected with Delegated Permissions
  • Example request to grant write access:

Abstract

This document shows how to add an application registration in you Microsoft Entra to use for Storage at Home.

Storage at home

If you enable storage at home, every upload or download in Ilap Data Exchange will leave a compressed ilap file in a folder named Ilap Data Exchange in the Sharepoint site that you chose.

Requirements:

1. An app registration exists within your Azure tenant to use for the Desktop Client to access Sharepoint on behalf of the end user
2. The app registration must support public clients with a sign in redirect url of http://localhost
3. The end user needs permission to access the Sharepoint site you register
4. In https://ilap.collabor8.no/tenant-admin/tenant  you need to register:
   • Client Id of the app registration from (1)
   • Tenant Id for your organization, can also be found in (1)
   • Url to the Sharepoint site you want to use as Storage at Home

Simple step by step guide

Create the app registration, choose "Public client/native..." as type and register http://localhost  as the redirect URI

Add delegated permissions for the application and provide administrative grants if required so that you end up with the permissions shown below

Use https://ilap.collabor8.no/tenant-admin/tenant  to edit your tenant. Click edit icon to the right of your Tenant's name and choose "Sharepoint" as "Storage at home option"

Enter the following values:

And Click "Save Changes"

You have now successfully enabled Storage At Home. Every transfer will now leave a zipped ilap file as shown in the example below:

Detailed explanation of the required permissions

Delegated permissions

The Desktop Client for Ilap Data Exchange requires delegated permissions for Storage at Home. 

Delegated permissions in Microsoft Entra ID (Azure AD) allow an application to act on behalf of a signed-in user when calling Microsoft Graph or other APIs.

Key Characteristics:

• Require user authentication (i.e., a user must sign in).
• The app's access is limited to the permissions the user already has.
• Used in interactive applications (e.g., web apps, mobile apps).
• Permission levels are granted by an admin or approved by the user.

Minimal Permissions for Writing Files and Creating Folders in SharePoint

To allow an Azure App Registration to write files and create folders in a SharePoint site using delegated permissions, you need to grant the least privilege necessary while ensuring proper functionality.

Minimal Required Delegated Permissions

In Microsoft Graph API, the following delegated permissions are required:

1. Files.ReadWrite – Allows the app to read and write files the signed-in user has access to.
2. Sites.ReadWrite.All – Allows the app to read and write all SharePoint site content the signed-in user has access to.

Why These Permissions?

• Files.ReadWrite ensures the app can create, modify, and delete files within libraries the user has access to.
• Sites.ReadWrite.All is needed to ensure the app can create folders in any SharePoint document library.

Alternatives (More Restrictive)

If you want to limit access to a specific SharePoint site, instead of Sites.ReadWrite.All , you can use:

• Sites.Selected (requires additional admin setup via Microsoft Graph API to assign the app to a specific SharePoint site).

Steps to Assign Permissions

1. Go to Azure Portal → Azure Active Directory.
2. Select "App registrations" → Choose or create your app.
3. Go to "API Permissions" → Click "Add a permission".
4. Select Microsoft Graph → Delegated permissions.
5. Search and select:
   Files.ReadWrite
   Sites.ReadWrite.All (or Sites.Selected for limited site access).
6. Click "Add permissions".
7. Click "Grant admin consent" if required.

Additional Considerations

• Ensure that the signed-in user has the required SharePoint permissions.
• If the app should only work on specific sites, prefer Sites.Selected and grant access via Microsoft Graph API.

Using Sites.Selected for Specific SharePoint Sites (Delegated Permissions)

To enable an Azure App Registration to write files and create folders in specific SharePoint sites using delegated permissions, you can utilize the Sites.Selected permission. This approach allows you to grant the app access only to designated sites, adhering to the principle of least privilege.

Overview of Sites.Selected Permission

The Sites.Selected permission enables administrators to restrict an application's access to specific SharePoint site collections. Initially designed for application permissions, as of February 2024, SharePoint supports delegated Sites.Selected authentication. This enhancement allows applications to access specific site collections with the minimal intersection of application and user permissions. Microsoft Docs - Selected Permissions Overview

Steps to Implement Sites.Selected with Delegated Permissions

1. Register Your Application in Azure Active Directory (AAD)
   • Navigate to the Azure portal and register a new application or select an existing one
   • Note the Application (client) ID for later use.
2. Assign the Sites.Selected Permission
   • In your application's API permissions section, add the Sites.Selected permission under Delegated permissions.
   • Grant admin consent for the permission.
3. Grant the Application Access to Specific SharePoint Sites
   • Use the Microsoft Graph API to assign the necessary permissions to your application for each target site.
     
     

     Example request to grant write access:
     
     

     POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions
     Content-Type: application/json
     
     {
       "roles": ["write"],
       "grantedToIdentities": [
         {
           "application": {
             "id": "your-app-id",
             "displayName": "Your App Name"
           }
         }
       ]
     }

     Replace {site-id} with the ID of your Sharepoint site and your-app-id with your application's client ID
     

     
     

4. Ensure User Permissions
   • The signed-in user must have sufficient permission on the SharePoint site to perform the desired actions.
   • The application's access is constrained by the intersection of its granted permissions and the user's permissions.

By following these steps, you can configure your Azure App Registration to have delegated permissions that allow writing files and creating folders in specific SharePoint sites, ensuring minimal and controlled access.