|
| 1 | +--- |
| 2 | +title: SharePoint admin APIs authentication and authorization |
| 3 | +description: This article describes the authentication and authorization model for SharePoint admin APIs. |
| 4 | +author: samkabue |
| 5 | +ms.author: samkabue |
| 6 | +ms.date: 06/28/2024 |
| 7 | +ms.localizationpriority: high |
| 8 | +ms.service: sharepoint |
| 9 | +--- |
| 10 | + |
| 11 | +# SharePoint admin APIs authentication and authorization |
| 12 | + |
| 13 | +SharePoint admin APIs are accessible via [SharePoint client object model (CSOM)](./complete-basic-operations-using-sharepoint-client-library-code.md), [SharePoint REST service](./get-to-know-the-sharepoint-rest-service.md), and [Microsoft Graph](../apis/sharepoint-rest-graph.md). |
| 14 | + |
| 15 | +## Overview |
| 16 | + |
| 17 | +Here are some key principles about SharePoint admin APIs authentication and authorization: |
| 18 | + |
| 19 | +- Each admin API defines the least-permissive permission a caller should have to call the API. |
| 20 | +- We use role-based access control to assert a caller can call a particular admin API. If the caller has not been granted the required permission, they'll get an unauthorized access error. |
| 21 | + |
| 22 | +## Pre-Requisites |
| 23 | + |
| 24 | +- Caller is a registered Microsoft Entra application with the right application permissions. |
| 25 | + |
| 26 | +## Authorization |
| 27 | + |
| 28 | +SharePoint admin APIs can be called by applications registered in Microsoft Entra configured with [access on behalf of a user](/graph/auth-v2-user) or [access without a user](/graph/auth-v2-service). |
| 29 | + |
| 30 | +### Application access on behalf of a user |
| 31 | + |
| 32 | +Admin API operations [on behalf of a user](/graph/auth-v2-user) require applications to receive consent for SharePoint `AllSites.FullControl` application permission. This permission requires admin consent on the consuming tenant before any user from the tenant can consent to it. |
| 33 | + |
| 34 | +### Application access without a user |
| 35 | + |
| 36 | +Admin API operations [without a user](/graph/auth-v2-service) require applications to receive consent for `Sites.FullControl.All` application permission on the SharePoint resource. This permission requires admin consent on the consuming tenant. |
| 37 | + |
| 38 | +> [!IMPORTANT] |
| 39 | +> Using application access on behalf of a user is the recommended approach. This type of access enhances the security of your tenant and improves auditability of actions performed by the application. For all applications, an administrator on the consuming tenant must consent to your application's request for permission. Learn more [here](/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal). |
| 40 | +
|
| 41 | +> [!NOTE] |
| 42 | +> We are currently working on providing more granular, less-permissive scopes for applications to use based on what admin APIs the applications want to have access to. We'll share more information in due course when this is ready for adoption. |
| 43 | +
|
| 44 | +## What's next |
| 45 | + |
| 46 | +Here are some actions you can take next to use applications for admin API calls: |
| 47 | + |
| 48 | +1. Configure your [application manifest](/entra/identity-platform/reference-app-manifest#requiredresourceaccess-attribute) to request the required permissions for Office 365 SharePoint Online (resourceAppId: `00000003-0000-0ff1-ce00-000000000000`). |
| 49 | +1. [Grant admin consent](/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal) to your application on the target tenant. |
| 50 | + |
| 51 | + | Access type | Permission name | `resourceAccess` id | `resourceAccess` type | |
| 52 | + | :------------------ | :---------------------- | :------------------------------------- | :-------------------- | |
| 53 | + | On behalf of a user | `AllSites.FullControl` | `56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0` | Scope | |
| 54 | + | Without a user | `Sites.FullControl.All` | `a82116e5-55eb-4c41-a434-62fe8a61c773` | Role | |
| 55 | + |
| 56 | +1. Use your application to [invoke admin APIs](./get-to-know-the-sharepoint-rest-service.md). |
0 commit comments