Our use of cookies

We use cookies to tailor your experience, gather analytics, and provide you with live assitance. By clicking "Accept" or continuing to browse our site you agree to the use of cookies. For more details please read our Cookie Policy.

Use SharePoint Item Level Permissions with Azure AD Application Permissions

If you configure SQList to use Azure AD Application Permissions to export items from a SharePoint list that implements Item Level Permission, you must be aware that granting Site.Read.All permission in Azure AD is not enough for that list to be exported.

Example


1. We have a list named "Test list" in SharePoint Online which implements Item Level Permissions:


Note that the list contains 5 items, 3 created by an Owner account (Francesco) and 2 created by a Contributor account.

In the list's settings, we have selected to let users only read items they have created (note that this limitation does not apply to Owner users).

Image Placeholder
Image Placeholder



2. In Azure, we have configured Azure AD Application Permissions authentication for SQList


We have granted Sites.ReadAll permission to the application.

Image Placeholder

See this article for more details about setting up this type of authentication:



3. In SQList, we created 3 replications, one for each authentication method


  1. TestAdmin: uses the Owner account;
  2. TestPublic: uses the Member account;
  3. TestAD: uses the Azure AD authentication.

Image Placeholder


4. We run SQList to exports the lists


SQList exported:

  • All 5 items when connecting using the Owner account;
  • The 2 items created by the Member account when connecting using the Member account;
  • No items when connecting using the Azure AD authentication.

Image Placeholder

Our assumption is that SharePoint treats the Azure AD account as if it were a regular Visitor user account and therefore does not allow it to see any items.

5. We then granted FullControl to the Azure AD authentication



Image Placeholder


6. We re-run SQList


This time SQList was able to export all items from the list for the AD Account (just like with the Owner account).

Image Placeholder

Conclusions


Based on our tests, we have concluded that, when it comes to permissions, Azure AD Authentication is treated by SharePoint as any other user.

Therefore, Read.All permission corresponds to a "Visitor" while a FullControl.All to an "Owner".

Be aware that Sites.FulControl.All gives full access to all sites in the site collection, so you should grant this permission only if absolutely necessary.

Also, note that there may be other combinations of permissions that may achieve the same result, but we have not tried them as they are outside the scope of this test.

Should you have any questions about this article, please contact us a spport@axioworks.com