Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Are there security issues with Microsoft365R's requested permissions? #61

Closed
jonathanmburns opened this issue Jun 30, 2021 · 5 comments
Closed

Are there security issues with Microsoft365R's requested permissions? #61

jonathanmburns opened this issue Jun 30, 2021 · 5 comments

Comments

@jonathanmburns
Copy link

There have been concerns about providing me with access because “the integration set up full read/write access to all SharePoint sites in the [corporate] tenant and there was not a way to limit that access.“

Is there anyway within the package to limit access?

I did see the following for Python - https://www.dataandstuff.co.uk/post/interacting-with-sharepoint-online-documents-using-python.

Can something like this be worked on?
@hongooi73
Copy link
Collaborator

Hi, the only permissions that the app has are delegated permissions. That means the only things you can do with the package are things that your account would normally be allowed to do anyway.

Basically, to carry out an action X, the package must have permission X and your account must have the appropriate role that allows X. See here: https://docs.microsoft.com/en-us/graph/auth/auth-concepts#microsoft-graph-permissions

For delegated permissions, the effective permissions of your app will be the intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user can be determined by policy or by membership in one or more administrator roles. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

The opposite of this is application permissions, where having permission X is all that is necessary to carry out an action (this is likely what your IT people are concerned about). Microsoft365R doesn't require, or request, any of these.

@jonathanmburns
Copy link
Author

Thanks, this is very helpful. Bottom line, I can only get to sites that I can currently get to by physically going to the SharePoint site and any sites that I currently can't get to by physically going to the SharePoint site, I won't be able to get to with the app.
Thanks!

@hongooi73
Copy link
Collaborator

Yes, that's correct. Your Python link is using a limited set of application permissions to work with Sharepoint, which is another way to keep things secure. Personally I think this is not so good, because it means you lose track of who is making changes to documents -- what will be recorded is the app/service principal ID, not a username. But from a security standpoint, it does the job.

@hongooi73 hongooi73 changed the title Feature Request - Limiting Access Are there security issues with Microsoft365R's requested permissions? Jun 30, 2021
@hongooi73 hongooi73 pinned this issue Jun 30, 2021
@jonathanmburns
Copy link
Author

Excellent. Thank you very much. I am happy to close the issue unless you have a need for it to remain open.

@hongooi73
Copy link
Collaborator

No worries. I've actually pinned it to the top, as it's a question that I'm sure others will have.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hongooi73 @jonathanmburns