Microsoft Graph API: Limiting MSAL Python Daemon app to individual user access
Question:
I am building a Python Daemon app to download files which are accessible to an individual O365 user via Graph API. I am trying to use ConfidentialClientApplication class in MSAL for authorization.
In my understanding – this expects “Application Permissions” (the API permission in Azure AD) and not “Delegated permissions” for which, admin has to consent Files.Read.All.
So the questions I have are:
- Does this mean, my app will have access to all the files in the organization after the admin consent?
- How do I limit access to a Daemon app to the files which only an individual user (my O365 user/UPN) has access to?
- Should I be rather be using a different auth flow where a user consent be also part of the flow: such as on-behalf-of (or) interactive (or) username password?
Thanks!
Answers:
Does this mean, my app will have access to all the files in the organization after the admin consent?
Yes, it is the downside of application permissions usually.
How do I limit access to a Daemon app to the files which only an individual user (my O365 user/UPN) has access to?
I’m pretty sure you can’t limit a daemon app’s OneDrive access. You can for example limit Exchange access for a daemon app.
Should I be rather be using a different auth flow where a user consent be also part of the flow: such as on-behalf-of (or) interactive (or) username password?
It would certainly allow you to limit the access to a specific user. In general I recommend that you do not use username+password (ROPC); it won’t work any way if your account has e.g. MFA. The more secure approach would be that you need to initialize the daemon app once with Authorization Code flow. This gives your app a refresh token that it can then use to get an access token for the user when needed (and a new refresh token). Note it is possible for refresh tokens to expire, in which case the user needs to initialize the app again.
You can limit the Application (Admin approved) permissions to specific resources (at least for some resources – e.g. mailboxes, calendars, SharePoint sites, …)
Using Application Access Policy
An example for using this to restrict mailbox access to one or more users is:
This approach isn’t possible to set currently in the MSGraph Application definition. Your admin has to use Powershell to associate an Access Policy to an Application definition.
SharePoint sites restriction
For SharePoint sites, you can use the MS Graph Sites.Selected Application permission to have Admin approved access to specific SharePoint sites.
https://devblogs.microsoft.com/microsoft365dev/updates-on-controlling-app-specific-access-on-specific-sharepoint-sites-sites-selected/
I am building a Python Daemon app to download files which are accessible to an individual O365 user via Graph API. I am trying to use ConfidentialClientApplication class in MSAL for authorization.
In my understanding – this expects “Application Permissions” (the API permission in Azure AD) and not “Delegated permissions” for which, admin has to consent Files.Read.All.
So the questions I have are:
- Does this mean, my app will have access to all the files in the organization after the admin consent?
- How do I limit access to a Daemon app to the files which only an individual user (my O365 user/UPN) has access to?
- Should I be rather be using a different auth flow where a user consent be also part of the flow: such as on-behalf-of (or) interactive (or) username password?
Thanks!
Does this mean, my app will have access to all the files in the organization after the admin consent?
Yes, it is the downside of application permissions usually.
How do I limit access to a Daemon app to the files which only an individual user (my O365 user/UPN) has access to?
I’m pretty sure you can’t limit a daemon app’s OneDrive access. You can for example limit Exchange access for a daemon app.
Should I be rather be using a different auth flow where a user consent be also part of the flow: such as on-behalf-of (or) interactive (or) username password?
It would certainly allow you to limit the access to a specific user. In general I recommend that you do not use username+password (ROPC); it won’t work any way if your account has e.g. MFA. The more secure approach would be that you need to initialize the daemon app once with Authorization Code flow. This gives your app a refresh token that it can then use to get an access token for the user when needed (and a new refresh token). Note it is possible for refresh tokens to expire, in which case the user needs to initialize the app again.
You can limit the Application (Admin approved) permissions to specific resources (at least for some resources – e.g. mailboxes, calendars, SharePoint sites, …)
Using Application Access Policy
An example for using this to restrict mailbox access to one or more users is:
This approach isn’t possible to set currently in the MSGraph Application definition. Your admin has to use Powershell to associate an Access Policy to an Application definition.
SharePoint sites restriction
For SharePoint sites, you can use the MS Graph Sites.Selected Application permission to have Admin approved access to specific SharePoint sites.
https://devblogs.microsoft.com/microsoft365dev/updates-on-controlling-app-specific-access-on-specific-sharepoint-sites-sites-selected/