You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| Container types that a partner tenant can create | 5 |
21
+
| Container types that a partner tenant can create | 5*|
19
22
| Container types that an app can own | 1 |
20
23
| Containers of a container type per tenant | 100k*|
21
24
| Storage per container type per tenant | 100TB*|
@@ -28,7 +31,7 @@ The table below defines the size limits of containers.
28
31
29
32
30
33
> [!NOTE]
31
-
> The limit can be increased per request.
34
+
> \* Limit can be increased per request.
32
35
33
36
34
37
## Throttling
@@ -67,8 +70,7 @@ The following table lists the API rate limits for applications and containers.
67
70
| Requests per user | 600 resource units per min |
68
71
69
72
> [!NOTE]
70
-
> The limit can be increased per request.
71
-
>
73
+
> \* Limit can be increased per request.
72
74
73
75
Application limits are defined in resource units, and the actual request rate, such as requests per minute, varies based on the chosen API and its corresponding resource unit cost. As a general rule, you can estimate the request rate by averaging about 2 resource units per request and dividing application resource unit limits by 2. Reducing the usage of permission operations can notably improve the call rate since these operations have the most significant impact on overall resource consumption.
Copy file name to clipboardExpand all lines: docs/sp-add-ins-modernize/understanding-aad-and-oauth-for-spo-modern.md
+16-16Lines changed: 16 additions & 16 deletions
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: Understanding Azure Active Directory and OAuth 2.0 in the context of SharePoint Online modern development
3
3
description: Master Azure Active Directory and OAuth 2.0 for SharePoint Online modern development. Learn about authentication, authorization, and access tokens in this comprehensive guide.
4
-
ms.date: 08/28/2023
4
+
ms.date: 12/05/2023
5
5
ms.localizationpriority: high
6
6
ms.service: sharepoint
7
7
---
@@ -24,10 +24,10 @@ If you prefer, you can watch the following video, instead of reading the whole a
24
24
In Microsoft SharePoint Online, when developing SharePoint Framework (SPFx) solutions, you can consume Microsoft Graph, as well as any other third-party APIs relying on OAuth 2.0 and Azure Active Directory. Specifically, and by default, in SharePoint Framework any external API can be consumed either via _MSGraphClient_ or _AadHttpClient_ and leveraging a pre-defined Azure Active Directory application with name "SharePoint Online Client Extensibility Web Application Principal".
25
25
26
26
> [!NOTE]
27
-
> For further details about consuming Microsoft Graph from within a SharePoint Framework solution you can read the article ["Use the MSGraphClientV3 to connect to Microsoft Graph"](../spfx/use-msgraph.md). For further details about consuming any other third-party APIs from within SharePoint Framework you can read the article ["Connect to Azure AD-secured APIs in SharePoint Framework solutions"](../spfx/use-aadhttpclient.md).
27
+
> For further details about consuming Microsoft Graph from within a SharePoint Framework solution you can read the article [Use the MSGraphClientV3 to connect to Microsoft Graph](../spfx/use-msgraph.md). For further details about consuming any other third-party APIs from within SharePoint Framework you can read the article [Connect to Azure AD-secured APIs in SharePoint Framework solutions](../spfx/use-aadhttpclient.md).
28
28
29
29
> [!IMPORTANT]
30
-
> There are scenarios where you need to have a dedicated and isolated access to a target API. In such scenario, you can rely on the Domain Isolated configuration for your SharePoint Framework solution. You can find additional details about the Domain Isolated scenario reading the article ["Isolated web parts"](../web-parts/isolated-web-parts.md).
30
+
> There are scenarios where you need to have a dedicated and isolated access to a target API. In such scenario, you can rely on the Domain Isolated configuration for your SharePoint Framework solution. You can find additional details about the Domain Isolated scenario reading the article [Isolated web parts](../spfx/web-parts/isolated-web-parts.md).
31
31
32
32
The "SharePoint Online Client Extensibility Web Application Principal" application is pre-registered by Microsoft SharePoint Online in any Microsoft 365 tenant and allows all the SharePoint Framework solutions to share a unique application to access both Microsoft Graph and any other third-party APIs. In this article, you will understand what the role of Azure Active Directory and OAuth 2.0 in the SharePoint Framework context is.
33
33
@@ -36,12 +36,12 @@ The "SharePoint Online Client Extensibility Web Application Principal" applicati
36
36
In order to consume any API registered in Azure Active Directory and secured with OAuth 2.0 you need to provide an Access Token, which by definition is an opaque string used to protect a resource. With Azure Active Directory, as well as with many other vendor-specific identity platforms, the Access Token is a JSON Web Token (JWT) that contains a set of claims. Claims are assertions about a subject described by the Access Token and where the assertions are guaranteed to be true because the token is digitally signed by the issuer (Azure Active Directory in this context) and the recipient of the token trusts the issuer.
37
37
38
38
> [!NOTE]
39
-
> You can find additional information about the Open Authorization 2.0 protocol reading its specification ["The OAuth 2.0 Authorization Framework"](https://datatracker.ietf.org/doc/html/rfc6749). You can also find additional information about the JWT token format for Access Tokens reading the document ["JSON Web Token (JWT) profile for OAuth 2.0 Acccess Tokens"](https://www.rfc-editor.org/rfc/rfc9068).
39
+
> You can find additional information about the Open Authorization 2.0 protocol reading its specification [The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749). You can also find additional information about the JWT token format for Access Tokens reading the document [JSON Web Token (JWT) profile for OAuth 2.0 Acccess Tokens](https://www.rfc-editor.org/rfc/rfc9068).
40
40
41
41
An Access Token is provided to the target API/service through a HTTP Authorization header and specifically, in the fields of Azure Active Directory, it is an Authorization token of type _Bearer_.
42
42
43
43
> [!NOTE]
44
-
> In case you are wondering what "Bearer" means and why you need to specify the Bearer type before the actual Access Token value in the Authorization header, you can read the specification ["The OAuth 2.0 Authorization Framework: Bearer Token Usage"](https://www.rfc-editor.org/rfc/rfc6750).
44
+
> In case you are wondering what "Bearer" means and why you need to specify the Bearer type before the actual Access Token value in the Authorization header, you can read the specification [The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750).
45
45
46
46
### Delegated vs Application permissions scopes
47
47
@@ -56,21 +56,21 @@ When using Delegated permissions in Access Tokens, the permissions scopes associ
56
56
57
57
In order for the tokens to be issued and fully effective, there must be either an explicit user's consent, for those permissions related to personal resources of the current user, or a tenant admin's consent, for those permissions related to tenant-wide resources.
58
58
59
-
When using Application permissions in Access Tokens, tipically the permissions granted require a tenant admin's consent because such an application will then gain access to target resources tenant-wide, and as such an admin approval is required.
59
+
When using Application permissions in Access Tokens, typically the permissions granted require a tenant admin's consent because such an application will then gain access to target resources tenant-wide, and as such an admin approval is required.
60
60
61
61
In SharePoint Framework solutions, you will only get Access Tokens with Delegated permissions, meaning that you will only consume Microsoft Graph and any other API/services acting as the signed-in user.
62
62
63
63
### Understanding SharePoint Framework Access Tokens and Delegated permissions scopes
64
64
65
-
In order to better understand the role and the format of an Access Token you can play with the sample ["Consuming Microsoft Graph from SharePoint Framework"](https://github.com/pnp/addin-transformation-guidance/tree/main/samples/Understanding-AAD-OAuth-for-SPFx/Consuming-MSGraph-from-SPFx) related to this article. In the following screenshot you can see the user interface of the sample.
65
+
In order to better understand the role and the format of an Access Token you can play with the sample [Consuming Microsoft Graph from SharePoint Framework](https://github.com/pnp/addin-transformation-guidance/tree/main/samples/Understanding-AAD-OAuth-for-SPFx/Consuming-MSGraph-from-SPFx) related to this article. In the following screenshot you can see the user interface of the sample.
66
66
67
67
68
68
69
-
The sample Web Part relies on the ["jwt.ms"](https://jwt.ms) web site provided by Microsoft, where you can inspect the content of an Access Token.
69
+
The sample Web Part relies on the [jwt.ms](https://jwt.ms) web site provided by Microsoft, where you can inspect the content of an Access Token.
70
70
71
71
Running the sample web part in the SharePoint Framework Workbench and pressing the "Look inside the Access Token for Microsoft Graph" button you will be brought to the jwt.ms web site where you can see the content of your Access Token. In the following screenshot you can see the output of the jwt.ms web site for a sample Access Token.
72
72
73
-
73
+
74
74
75
75
Inside every JWT Access Token there are claims, and here you can find a list of the most important ones for an Access Token issued to a SharePoint Framework client with Delegated permission scopes:
76
76
@@ -89,18 +89,18 @@ If you are consuming the Microsoft Graph, like in the above sample, the _aud_ cl
89
89
> [!NOTE]
90
90
> For a Domain Isolated solution, the *app_displayname* claim will be the one of a dedicated application registered for you in Azure Active Directory by the SharePoint Online services.
91
91
92
-
On the client side, meaning in SharePoint Framework, you should never rely on the actual content of the Access Token. The provided sample is just for the sake of understanding how the security model works. However, in a common scenario, you can simply benefit of the out of the box capabilities of SharePoint Framework, which hides from you all the plumbing of consuming external APIs from within your code.
92
+
On the client side, meaning in SharePoint Framework, you should never rely on the actual content of the Access Token. The provided sample is just for the sake of understanding how the security model works. However, in a common scenario, you can simply take advantage of the out of the box capabilities of SharePoint Framework, which hides all the plumbing of consuming external APIs from your code.
93
93
94
-
On the service side, if you are consuming Microsoft Graph, it will be responsibility of Microsoft to evaluate the provided Access Token and to authorize (or deny) access to the requeste API endpoint. In case you are consuming a third-party API/service that you implemented, you can either rely on the configuration options of Microsoft Azure, if you are hosting the service on Microsoft Azure, or you can rely for example on the Microsoft Authentication Library (MSAL) and the Microsoft.Identity.Web library to validate and authorize the tokens.
94
+
On the service side, if you are consuming Microsoft Graph, it will be the responsibility of Microsoft to evaluate the provided Access Token and to authorize (or deny) access to the requeste API endpoint. In case you are consuming a third-party API/service that you implemented, you can either rely on the configuration options of Microsoft Azure, if you are hosting the service on Microsoft Azure, or you can rely, for example, on the Microsoft Authentication Library (MSAL) and the Microsoft.Identity.Web library to validate and authorize the tokens.
95
95
96
96
> [!NOTE]
97
-
> You can find additional information about the Microsoft Authentication Library reading ["Overview of the Microsoft Authentication Library (MSAL)"](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview). You can find further details about the Microsoft.Identity.Web library reading the article ["Microsoft Identity Web authentication library"](https://learn.microsoft.com/en-us/azure/active-directory/develop/microsoft-identity-web).
97
+
> You can find additional information about the Microsoft Authentication Library by reading [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview). You can find further details about the Microsoft.Identity.Web library by reading the article [Microsoft Identity Web authentication library](/entra/msal/dotnet/microsoft-identity-web).
98
98
99
99
## Recommended content
100
100
101
101
You can find additional information about this topic reading the following documents:
102
102
103
-
*["Connect to Azure AD-secured APIs in SharePoint Framework solutions"](../spfx/use-aadhttpclient.md)
104
-
*["Isolated web parts"](../spfx/web-parts/isolated-web-parts.md)
105
-
*["Overview of the Microsoft Authentication Library (MSAL)"](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview)
106
-
*["Microsoft Identity Web authentication library"](https://learn.microsoft.com/en-us/azure/active-directory/develop/microsoft-identity-web)
103
+
*[Connect to Azure AD-secured APIs in SharePoint Framework solutions](../spfx/use-aadhttpclient.md)
104
+
*[Isolated web parts](../spfx/web-parts/isolated-web-parts.md)
105
+
*[Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview)
106
+
*[Microsoft Identity Web authentication library](/entra/msal/dotnet/microsoft-identity-web)
0 commit comments