3. “Originally I wanted to talk about M365
Copilot but then it turned out I am such a fool
that even Copilot didn’t want to play with me
…”
The presenter
4. Agenda
About
•Me
Authentication
•SP Rest vs Graph
•SSO
•Credential Handling
Managed
Identities
•Permissions
SPFx & 3rd
party API
•MSGraphClient
•AadHttpClient
•Domain isolated?
Permission
Scope
•App
•Delegated
•RSC
Summary
•Wrap up
•Resources
•Q&A
5. • Markus Moeller
• Microsoft 365 Developer Expert
• Microsoft MVP
• Microsoft 365 & Power Platform
Community (PnP) team member
• Avanade Germany
• @moeller2_0
• https://mmsharepoint.wordpress.com
• Proud dad of 1 (3yrs)
• Cancer fighter
About me
6. Authentication
SPFx
• User context login est.
• “No need to care for”
• MSGraphClient
• Prepped ServicePrincipal
• Tenant-Wide access
• AadHttpClient
• Prepped ServicePrincipal
• Tenant-Wide access (to backend
process only)
“Other” app
• Context ID / bootstrap token →
SSO
• MSAL2
• App individual access
• More effort
9. Azure Key Vault
• Read/Write from Application
• Access via Code or SecretUri reference in App Service Config
• Auth via Secret Endpoint / Managed Identity
• Azure App Config btw a similar service for less sensitive values?
10. Managed Identities
• Can simply be added to “any” Azure resource
• No credential / secret / key management
• User Managed Identities to be shared with several resources
• NO multi-tenant
• (Graph) permissions to be applied via code (PS, Rest, …)
• To ServicePrincipal only
• Graph / SPO Permissions “app only”
19. Delegated vs App permissions
User Delegated
• Access to resources of a kind
“the user” has access to
• User access needs to be granted
• Eventually “Create”, too
• User login / token needed for
operations
Application
• Access to ALL resources of a kind
• Access without a user
• Unattended processes
• Can be partially limited by
“.Selected” (RSC)
20. Use delegated permissions
• Benefit from user login / context / SSO
• Grant users access to all data / resources needed
• Users should be able to create resources and take ownership
• Do you really think your app is the only one that can treat your data /
resources in the right manner?
21. If app permissions needed
• Use LOWEST permissions possible
• Try to restrict by resource specific consent (RSC)
• MAXIMIZE restriction to your app
• Limit access to appId to small # of programmers / admins
• Take care of code base
22. RSC (resource specific consent)
• One app creates (with higher privileges) resource
• Teams Team, SharePoint Site
• Enables other app on this one
• App permission Sites.Selected
25. RSC – Q2 / 2024
• SharePoint: Application Site Creation without Sites.FullControl.All
• Sites.Create.All
• More granular RSC permission also coming around
26. Summary – Key takeaways
• Security is a moving target
• Always challenge: Least privilege
• Sample code / snippets simplify to demonstrate
• (Mine, too!!!) Always challenge before taking into Prod
• AI doesn’t help here so far 😜
• Security usually makes dev more complex
• Convince your client, more effort → More security
• Nevertheless, there is great functionality/tools out there
• Get to know them → NOW!
• RSC esp with SharePoint becoming a gamechanger in 2024 …
27. Resources
• M365 Development Security - From full trust to ZeroTrust
(pnp.github.io)
• Speaker's blog
• On this specific topic
• Azure Key Vault