You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Minor improvements to SharePoint Embedded auth page (#10847)
* SPE auth: fix note around app access OBO users
* SPE auth: recommend confidential client applications to stay in control
* SPE auth: remove note to delete FSCTR.Selected from manifest
* docs(spe): update auth article
- address acrolinx findings
- revert `ms.date` to original publication date; rendering engine
shows last modified date dynamically from git history
* Fix typo in auth.md regarding client applications
---------
Co-authored-by: Andrew Connell <me@andrewconnell.com>
Copy file name to clipboardExpand all lines: docs/embedded/development/auth.md
+6-9Lines changed: 6 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: SharePoint Embedded Authentication and Authorization
3
3
description: This article describes the authentication and authorization model for SharePoint Embedded applications.
4
-
ms.date: 02/04/2026
4
+
ms.date: 11/21/2023
5
5
ms.localizationpriority: high
6
6
---
7
7
@@ -15,7 +15,7 @@ Here are some key principles of SharePoint Embedded authentication and authoriza
15
15
16
16
- Applications interact with SharePoint Embedded via Microsoft Graph.
17
17
- Applications need container type application permissions to access containers of that container type.
18
-
- Applications can only access containers that the user is a member of when using access on behalf of a user.
18
+
- Applications can only access content that the user has access to when using access on behalf of a user.
19
19
- Applications can access all containers enabled by their container type application permissions when using access without a user.
20
20
- Applications use access on behalf of users whenever possible to enhance security and accountability.
21
21
@@ -48,7 +48,9 @@ SharePoint Embedded operations [on behalf of a user](/graph/auth-v2-user) suppor
48
48
-**[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)** to allow an application to utilize administration capabilities on all containers of all governable container types within the consuming tenant on behalf of an administrator user. The administration capabilities include the ability to enumerate, delete, restore, purge, and update containers, and manage their permissions.
49
49
50
50
> [!IMPORTANT]
51
-
> Using SharePoint Embedded on behalf of a user is the recommended approach. This type of access enhances the security of your application. It also improves the auditability of actions performed by your application.
51
+
>
52
+
> - Using SharePoint Embedded on behalf of a user is the recommended approach. This type of access enhances the security of your application. It also improves the auditability of actions performed by your application.
53
+
> - Using a confidential client application is the recommended approach to ensure your application remains in control of actions taken on behalf of a user. A public client application may expose user tokens to the end user, which may lead to actions being taken outside of your application's control. See [Public client and confidential client applications](/entra/identity-platform/msal-client-applications) to learn more.
52
54
53
55
#### Access without a user
54
56
@@ -194,7 +196,7 @@ The common [Office experience](./content-experiences/office-experience.md) inclu
194
196
195
197
The **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)** permission requires the signed-in user to be a SharePoint Embedded Administrator or Global Administrator.
196
198
197
-
If the user is not an administrator, **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)**does not grant the application any permissions:
199
+
If the user isn't an administrator, **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)**doesn't grant the application any permissions:
198
200
- If only **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)** is granted, the application will get an access denied error when trying to access the container on behalf of the non-admin user.
199
201
- If both **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)** and **[FileStorageContainer.Selected](/graph/permissions-reference#filestoragecontainerselected)** are granted, **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)** will be ignored.
200
202
@@ -237,9 +239,4 @@ Here are some actions you can take next:
237
239
238
240
1.[Grant admin consent](/entra/identity-platform/v2-admin-consent) to your application on a _consuming_ tenant (which can be the same as the owning tenant).
239
241
1.[Register the container type](../getting-started/register-api-documentation.md) on the _consuming_ tenant.
240
-
1. Remove **[FileStorageContainerTypeReg.Selected](/graph/permissions-reference#filestoragecontainertyperegselected)** from your application's manifest after registration is complete.
241
-
242
-
> [!NOTE]
243
-
> After registering the container type, you should remove the **[FileStorageContainerTypeReg.Selected](/graph/permissions-reference#filestoragecontainertyperegselected)** permission from your application's manifest. This permission is only needed during registration setup. Keeping it after registration unnecessarily increases your application's permission surface.
244
-
245
242
1.[Create a container](/graph/api/filestoragecontainer-post) on the _consuming_ tenant
0 commit comments