How to narrow down Microsoft Teams bot to only upload files into one Sharepoint Site

Question

I am trying to figure out the correct permission and process to grant my Teams bot with permission to read/write files to one Microsoft SharePoint Site.

In the azure portal when configuring the permissions for the bot, I am giving it the following permissions:

This seems to be the only way I can successfully write to the Sharepoint Site. However, if I remove Files.ReadWrite.All, then I don't have permissions anymore and receive the following error when trying to do so:

Either scp or roles claim need to be present in the token.

From what I've researched, I could give it Sites.Selected permissions within SharePoint, but this doesn't seem to change anything. I still have the ability to read/write to any sites I want, rather than just one specific one.

As a Teams bot, it seems to be an all or nothing type of permission. How can I give a bot permission to just one sharepoint site?

It seems like it would be possible this way, but this first requires another application with full control, which I don't have. Is there not a way as a user (who has full access to a site) to provide write access to a site for a bot or a way I can instruct IT to do this from the UI?

Answer 1

To restrict the Microsoft Bot Application to access only one SharePoint site, check the below:

Grant Admin Consent to Sites.Selected Application API permission:

Use the below PowerShell script to grant access to only one SharePoint site:

$siteUrl = “https://xxx.sharepoint.com/sites/testruk”
$clientId = “ClientID” 
$certThumbprint = “Thumbprint” 
$tenant = “xxx.onmicrosoft.com”

Connect-PnPOnline -Url $siteUrl -Interactive
$writeperm = Grant-PnPAzureADAppSitePermission -Permissions “Write” -Site $siteUrl -AppId $clientId -DisplayName “PowerShell-SharepointOnline”
$PermissionId = Get-PnPAzureADAppSitePermission -AppIdentity $clientId
Set-PnPAzureADAppSitePermission -Site $siteurl -PermissionId $(($PermissionId).Id) -Permissions “FullControl”

I connected to the SharePoint site using application and I am able to access the site:

Connect-PnPOnline -Url $siteUrl -ClientId $clientId -Thumbprint $certThumbprint -Tenant $tenant

Now, I connected the application to another SharePoint site and got 403 forbidden error when trying to access the site:

Connect-PnPOnline -Url $siteUrl -ClientId $clientId -Thumbprint $certThumbprint -Tenant $tenant

Note that: This will restrict access to specific site collections but not specific folders/files.

• Applications that use Microsoft Graph with their own identities have their application permissions exposed.
• Application permissions are full level access permissions granted to the Azure AD App.
• If the application has the Files.ReadWrite.All application permission granted, then application can access files from any OneDrive in the organization and it cannot be restricted.

References:

Graph API - Restrict OneDrive/Sharepoint Access when using "Files.ReadWrite.All" and "Sites.ReadWrite.all" Permissions - Microsoft Q&A by CarlZhao-MSFT

How to allow my app without user to access ONLY specific drive or folder - Microsoft Q&A by Vasil Michev