docs: Remove admin role requirement for SPE container type creation#10877
docs: Remove admin role requirement for SPE container type creation#10877gnjoseph wants to merge 2 commits into
Conversation
Updates SharePoint Embedded container type docs to reflect that FileStorageContainerType.Manage.All no longer requires the SharePoint Embedded Administrator or Global Administrator role. Any non-guest user in the owning tenant can now create a container type and is automatically assigned as an owner. - containertypes.md: rewrote Creating/Viewing/Deleting sections; fixed owningAppId -> owningApplicationId typo in the request body example - dev-admin.md: noted that the Graph path doesn't require admin - auth.md: minor phrasing fix in 'Container type owner capabilities' - whats-new.md: added June 2026 entry Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Learn Build status updates of commit 8c0f25c: ✅ Validation status: passed
For more details, please refer to the build report. |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
gnjoseph
requested review from
andrewconnell,
Copilot and
dluces
and removed request for
andrewconnell
There was a problem hiding this comment.
Pull request overview
Updates SharePoint Embedded documentation to reflect an ownership-based authorization model for creating container types, removing the requirement for SharePoint Embedded Administrator / Global Administrator roles when using Microsoft Graph.
Changes:
- Updated container type creation, viewing, and deletion guidance to reflect ownership-scoped access and non-admin creation.
- Added a developer-admin doc note clarifying PowerShell vs Microsoft Graph role requirements.
- Added a June 2026 “What’s new” entry documenting the authorization model change.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| docs/embedded/whats-new.md | Adds June 2026 release note and updates ms.date. |
| docs/embedded/getting-started/containertypes.md | Rewrites container type create/view/delete sections for the new ownership-based authorization model and updates the request example. |
| docs/embedded/development/auth.md | Minor wording adjustment in container type owner capabilities and updates ms.date. |
| docs/embedded/administration/developer-admin/dev-admin.md | Adds a note distinguishing PowerShell admin-role requirements from Microsoft Graph behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@gnjoseph As you've requested Copilot to do a review, please address/resolve its findings before requesting my review. My review is the final review before merging => For now, until that's complete, I'll remove my review. |
- dev-admin.md note: narrow the Graph-doesn't-require-admin claim to container type CRUD endpoints, and explicitly call out that other SPE Graph operations (e.g. `FileStorageContainer.Manage.All` for container management) still require an admin role. Addresses comment on docs/embedded/administration/developer-admin/dev-admin.md L23.
- auth.md "What's next": switch `FileStorageContainerType.Manage.All` permission type from `Role` to `Scope` in both the add and remove blocks. Per the live Microsoft Graph permissions reference, this permission is exposed only as a delegated scope (id `8e6ec84c-...`, AdminConsentRequired: No). The previous `type: Role` instruction was a pre-existing bug exposed by this PR; existing app permissions (`FileStorageContainerTypeReg.Selected`, `FileStorageContainer.Selected`) are correctly left as `Role`. Added an inline NOTE explaining the delegated nature and that admin consent isn't required, and softened the "Grant admin consent" step. Addresses comments on containertypes.md L42 and auth.md L152.
- auth.md L150: tighten dangling preposition ("they have a permission on" -> "on which they have a permission"). Keeps the AD-Aggregator spec author's preferred phrasing of "has/have a permission" over "appears in the permissions collection". Addresses comment on auth.md L150.
- Bumped `ms.date` on both modified files to 06/08/2026.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
andrewconnell
added
pr:do-not-merge
|
@gnjoseph I'll review one other human reviews are complete. The presence of open requested reviews indicates to me that this PR still in flight and SME's have been requested to review the content. I'm the last review before ultimately merging to |
Category
Related issues
What's in this Pull Request?
Updates SharePoint Embedded container type docs to reflect that
FileStorageContainerType.Manage.Allno longer requires the SharePoint Embedded Administrator or Global Administrator role. Any non-guest user in the owning tenant can now create a container type and is automatically assigned as an owner.docs/embedded/getting-started/containertypes.mdrewrote Creating, Viewing, and Deleting sections to reflect the new ownership-based authorization model; fixedowningAppIdowningApplicationIdtypo in the request body exampledocs/embedded/administration/developer-admin/dev-admin.mdadded a note distinguishing the PowerShell path (admin required) from the Microsoft Graph path (no admin required)docs/embedded/development/auth.mdminor phrasing fix in Container type owner capabilities per reviewer feedbackdocs/embedded/whats-new.mdadded June 2026 entryRelated documentation PRs
FileStorageContainerType.Manage.Alldescription in the Microsoft Graph permissions reference still mentions the admin requirement and will need a follow-up update in the Graph docs repo.