Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Permissions - AppFlow Connection to SharePoint Site

0

Hi All.

I'm following this guide: https://docs.aws.amazon.com/appflow/latest/userguide/connectors-microsoft-sharepoint-online.html

The AppFlow appears to be requesting broad access to our Azure/SharePoint tenant and I'd like to limit access to a single SharePoint site and/or document library. I configured a MS Graph API connection using Sites.Select to limit the SharePoint site scope, but configuring the AppFlow still wants broad access to SharePoint. This is noted in the "Requirements for using your own app registration (optional)" section of the link above.

Any advice on limiting permissions or another approach?

Thanks!

Topics
Application IntegrationNetworking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon AppFlowNetworking & Content DeliverySecurity
Language
English
asked 2 years ago446 views
1 Answer
0

Hi BA,

I understand you’re looking to limit the permissions AWS AppFlow requests when connecting to a Microsoft SharePoint site. It sounds like you’ve already scoped permissions using Sites.Select but AppFlow is still requesting broader access. Let’s tackle this together.

Clarifying the Issue

AWS AppFlow connects to SharePoint Online via the Microsoft Graph API. While Sites.Select helps restrict access to specific sites, AppFlow may still require Sites.ReadWrite.All to ensure a seamless integration. This behavior can pose challenges for organizations aiming to enforce stricter security controls.

Key Terms

  • AppFlow: An AWS service for transferring data between SaaS applications (like SharePoint) and AWS.
  • Microsoft Graph API: A RESTful API that enables interaction with Microsoft 365 services, including SharePoint.
  • Sites.Selected: A scoped permission limiting an app’s access to only specified SharePoint sites.
  • Azure AD App Registration: A process in Azure Active Directory that allows applications like AppFlow to authenticate and interact with SharePoint.

The Solution (our Recipe)

  1. Use Sites.Selected to Scope Down Access

    • In Azure AD, confirm your AppFlow app registration has Sites.Selected permissions.
    • Use PowerShell to manually grant access to specific sites: 
      Connect-AzureAD  
Grant-AzureADAppPermission -AppId "<App-Client-ID>" -SiteId "<Site-ID>" -Permissions "Sites.Selected"
      Replace <App-Client-ID> with your app registration ID and <Site-ID> with the target SharePoint site ID. This ensures AppFlow interacts only with the designated site.

  2. Test AppFlow Integration
    Validate AppFlow’s ability to pull data from the scoped SharePoint site. If it throws permission errors, AppFlow may still require Sites.ReadWrite.All to function as intended.

  3. Workaround: Use an Intermediate Storage
    If limiting permissions strictly is non-negotiable:

    • Manually pull data: Use the Microsoft Graph API (scoped to Sites.Selected) to extract data from the specific SharePoint site.
    • Store it in Amazon S3: Upload the extracted data to S3 for further processing.
    • Integrate with AppFlow: Configure AppFlow to process this sanitized S3 data instead of directly accessing SharePoint.

  4. Review AWS Documentation
    Refer to AWS AppFlow User Guide for the most up-to-date AppFlow and SharePoint integration requirements.

Closing Thoughts

While AWS AppFlow simplifies SharePoint data transfer, its reliance on Microsoft Graph API permissions can limit fine-grained control. Leveraging Sites.Selected narrows access but may require careful configuration. If strict permission boundaries are essential, an intermediate storage approach offers a robust workaround.

Let me know if you’d like more help implementing these steps—I’m happy to dive deeper into PowerShell or AWS AppFlow configurations!

Cheers, and happy building! 😊

Aaron! 🚀

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content