Microsoft Graph API: Limiting MSAL Python Daemon app to individual user access

3
votes

I am building a Python Daemon app to download files which are accessible to an individual O365 user via Graph API. I am trying to use ConfidentialClientApplication class in MSAL for authorization.

In my understanding - this expects “Application Permissions” (the API permission in Azure AD) and not “Delegated permissions” for which, admin has to consent Files.Read.All.

So the questions I have are:

  1. Does this mean, my app will have access to all the files in the organization after the admin consent?
  2. How do I limit access to a Daemon app to the files which only an individual user (my O365 user/UPN) has access to?
  3. Should I be rather be using a different auth flow where a user consent be also part of the flow: such as on-behalf-of (or) interactive (or) username password?

Thanks!

1
pythonazuremicrosoft-graph-apimsal

1 Answers

4
votes

Does this mean, my app will have access to all the files in the organization after the admin consent?

Yes, it is the downside of application permissions usually.

How do I limit access to a Daemon app to the files which only an individual user (my O365 user/UPN) has access to?

I'm pretty sure you can't limit a daemon app's OneDrive access. You can for example limit Exchange access for a daemon app.

Should I be rather be using a different auth flow where a user consent be also part of the flow: such as on-behalf-of (or) interactive (or) username password?

It would certainly allow you to limit the access to a specific user. In general I recommend that you do not use username+password (ROPC); it won't work any way if your account has e.g. MFA. The more secure approach would be that you need to initialize the daemon app once with Authorization Code flow. This gives your app a refresh token that it can then use to get an access token for the user when needed (and a new refresh token). Note it is possible for refresh tokens to expire, in which case the user needs to initialize the app again.