UseRemoteAPIs functionality change in Microsoft SharePoint
Today, we are announcing the removal of consideration for the UseRemoteAPIs permission within SharePoint Online. Meaning that while the setting remains in the UX for a short time, it will no longer be used as part of the authorization flow for API calls made to CSOM and classic REST APIs.
Within SharePoint you can build permission levels through combining permissions, including the ability to modify existing service permissions. Within this system, the permission listed in the UX as “Use Remote Interfaces - Use SOAP, Web DAV, the Client Object Model or SharePoint Designer interfaces to access the Web site” was originally intended to prevent anonymous users in public SharePoint internet sites from accessing the APIs.
As the service evolved, this original meaning has been lost. Today the setting provides no additional protection as other APIs such as Microsoft Graph do not account for it leaving content accessible despite this setting’s state.
Taking this step allows us to simplify and improve the consistency of both the developer and administrator experiences.
- Visit our Microsoft 365 Dev Center.
- Follow us on Microsoft 365 Developer (@Microsoft365Dev) / Twitter for the latest news and announcements.