{"id":18597,"date":"2024-02-09T08:00:45","date_gmt":"2024-02-09T16:00:45","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/?p=18597"},"modified":"2024-02-09T06:28:59","modified_gmt":"2024-02-09T14:28:59","slug":"sharepoint-now-supports-delegated-sites-selected-authentication","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/sharepoint-now-supports-delegated-sites-selected-authentication\/","title":{"rendered":"SharePoint now supports delegated Sites.Selected authentication"},"content":{"rendered":"<p>In 2021, <a href=\"https:\/\/devblogs.microsoft.com\/microsoft365dev\/controlling-app-access-on-specific-sharepoint-site-collections\/\">we introduced the Sites.Selected scope<\/a> and capabilities allowing for an application\u2019s access to be limited to specific site collections. This came with the limitation that it only applied to application-only authentication scenarios. This was a critical first step, and today we are excited to introduce support for delegated Sites.Selected scenarios.<\/p>\n<p>This increases trust in applications as they cannot exceed the user\u2019s existing abilities. As with other delegated scopes the minimal intersection of application and user permissions is used. Increasing the ability of admins to control application access to specific site collections and require user presence\/access is another step in the trust journey crucial to our partner ecosystem.<\/p>\n<h2>Assignment<\/h2>\n<p>In scenarios where an application is consented to the delegated Sites.Selected scope, the \u201cselecting\u201d of sites remains the same. A POST request to the given site\u2019s <a href=\"https:\/\/learn.microsoft.com\/en-us\/graph\/api\/site-post-permissions?view=graph-rest-1.0&amp;tabs=http\"><em>\/permissions<\/em> endpoint<\/a> indicating the app id and role to assign.<\/p>\n<pre class=\"prettyprint language-ts\"><code class=\"language-ts\">POST https:\/\/graph.microsoft.com\/v1.0\/sites\/{siteId}\/permissions\r\nContent-Type: application\/json\r\n\r\n{\r\n  \"roles\": [\"write\"],\r\n  \"grantedToIdentities\": [{\r\n    \"application\": {\r\n      \"id\": \"89ea5c94-7736-4e25-95ad-3fa95f62b66e\",\r\n      \"displayName\": \"Foo App\"\r\n    }\r\n  }]\r\n}\r\n<\/code><\/pre>\n<p>The available roles are:<\/p>\n<table>\n<tbody>\n<tr>\n<td>Role Name<\/td>\n<td>Meaning<\/td>\n<\/tr>\n<tr>\n<td>read<\/td>\n<td>Read-only<\/td>\n<\/tr>\n<tr>\n<td>write<\/td>\n<td>Adds Write and related bits<\/td>\n<\/tr>\n<tr>\n<td>manage<\/td>\n<td>Adds Manage Lists \/ Designer and related bits<\/td>\n<\/tr>\n<tr>\n<td>fullcontrol<\/td>\n<td>All permissions<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><\/h2>\n<h2>How do the two scopes interact?<\/h2>\n<p>Given that there is now a delegated and application only Sites.Selected scope, what happens if an application is consented to both? The answer is they both work. There is no distinction made when the application is assigned through the <em>\/permissions<\/em> endpoint \u2013 you still assign only the application id and role. The distinction is made by the application when the token is requested \u2013 that determines if the token is application or delegated. When the call is made the permissions are calculated either as application or delegated, and assuming the request is authorized it will go through.<\/p>\n<p>If you want to ensure a user is always present when an application accesses a site, only consent to the delegated option for Sites.Selected, this will block application-only calls.<\/p>\n<p>Find more information in the <a href=\"https:\/\/learn.microsoft.com\/en-us\/sharepoint\/dev\/\">SharePoint Developer documentation<\/a>.<\/p>\n<p><em>Follow us on\u00a0<a href=\"http:\/\/twitter.com\/microsoft365dev\" target=\"_blank\" rel=\"noopener\">X (Twitter) \/ @Microsoft365Dev<\/a>\u00a0and subscribe to our\u00a0<a href=\"https:\/\/www.youtube.com\/microsoft365developer\" target=\"_blank\" rel=\"noopener\">YouTube channel<\/a>\u00a0to stay up to date on the latest developer news and announcements.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, we are excited to introduce support for delegated Sites.Selected scenarios.<\/p>\n","protected":false},"author":128874,"featured_media":18604,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[166],"tags":[162],"class_list":["post-18597","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sharepoint","tag-sharepoint"],"acf":[],"blog_post_summary":"<p>Today, we are excited to introduce support for delegated Sites.Selected scenarios.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/18597","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/users\/128874"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/comments?post=18597"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/18597\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media\/18604"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media?parent=18597"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/categories?post=18597"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/tags?post=18597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}