docs: Add FileStorageContainerTypeReg.Manage.All and CT owner self-service registration#10752
docs: Add FileStorageContainerTypeReg.Manage.All and CT owner self-service registration#10752gnjoseph wants to merge 1 commit intoSharePoint:mainfrom
Conversation
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit c2292e0: ✅ Validation status: passed
For more details, please refer to the build report. |
…tration - Add FileStorageContainerTypeReg.Manage.All to application permissions list - Document CT owner self-service registration for tenant-local container types - Document requirements: delegated mode, Manage.All scope, non-guest, tenant toggle - Note: Depends on SPO.Core PR #2129255 merging
gnjoseph
force-pushed
the
grjoseph/spe-auth-fsctr-manage-all
branch
from
c2292e0 to
35353fa
Compare
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
|
Learn Build status updates of commit 35353fa: ✅ Validation status: passed
For more details, please refer to the build report. |
|
|
||
| [SharePoint Embedded Administrators](/entra/identity/role-based-access-control/permissions-reference#sharepoint-embedded-administrator) can manage all SharePoint Embedded applications created in the **owning** tenant. Additionally, any Microsoft Entra user that isn't an external identity can be assigned as an owner of a [container type](/graph/api/resources/filestoragecontainertype). Container type owners can manage that specific container type. To learn more about managing applications created in the owning tenant, see [SharePoint Embedded developer administrator](../administration/developer-admin/dev-admin.md). | ||
|
|
||
| ##### Container type owner self-service registration |
There was a problem hiding this comment.
| ##### Container type owner self-service registration | |
| #### Registering SharePoint Embedded applications |
This section also needs to be listed under ### User permissions.
Make the text below about registering SPE apps. So mention that SPE or Global Administrators can register SPE Apps, blablabla. Additionally, CT.owners can register their local container types. Very similar to the sections above.
|
|
||
| Container type owners can register their container types in tenants where the container type is local (owning tenant equals consuming tenant). This requires: | ||
|
|
||
| - The application has `FileStorageContainerTypeReg.Manage.All` delegated permission |
There was a problem hiding this comment.
| - The application has `FileStorageContainerTypeReg.Manage.All` delegated permission |
This is in the User permissions section, don't mix with application permissions
|
|
||
| - The application has `FileStorageContainerTypeReg.Manage.All` delegated permission | ||
| - The calling user is a container type owner (appears in the permissions collection on the container type) | ||
| - The call is delegated (not app-only) |
There was a problem hiding this comment.
| - The call is delegated (not app-only) |
This is in the User permissions section, this is obvious.
| - The application has `FileStorageContainerTypeReg.Manage.All` delegated permission | ||
| - The calling user is a container type owner (appears in the permissions collection on the container type) | ||
| - The call is delegated (not app-only) | ||
| - The calling user is not a guest user |
There was a problem hiding this comment.
Link to an Entra page describing what a guest user is?
| - The calling user is a container type owner (appears in the permissions collection on the container type) | ||
| - The call is delegated (not app-only) | ||
| - The calling user is not a guest user | ||
| - Self-service container type registration is enabled on the tenant. This setting is enabled by default. SharePoint Embedded Administrators or Global Administrators can manage this setting using [SharePoint Online PowerShell](/powershell/module/sharepoint-online/set-spotenant): |
There was a problem hiding this comment.
| - Self-service container type registration is enabled on the tenant. This setting is enabled by default. SharePoint Embedded Administrators or Global Administrators can manage this setting using [SharePoint Online PowerShell](/powershell/module/sharepoint-online/set-spotenant): | |
| - Self-service container type registration is enabled on the tenant. |
The part that follows should go into the appropriate article and linked from this bullet point. This is not the right place for it--too verbose. Probably the article on owning tenant admins.
| - Optionally add: `FileStorageContainer.Selected` (type: `Role`, ID: `40dc41bc-0f7e-42ff-89bd-d9516947e474`) to access the container on _consuming_ tenants without a user | ||
| 1. [Grant admin consent](/entra/identity-platform/v2-admin-consent) to your application on a _consuming_ tenant (which can be the same as the owning tenant). | ||
| 1. [Register the container type](../getting-started/register-api-documentation.md) on the _consuming_ tenant. | ||
| 1. Remove `FileStorageContainerTypeReg.Selected` from your application's manifest after registration is complete. |
There was a problem hiding this comment.
Nope, FSCTR.Selected should always be part of the manifest becauae it allows to manage the registration in the consuming tenant. But, most importantly, if it wants to register in a different tenant, this will be required.
|
|
||
| - [FileStorageContainerType.Manage.All](/graph/permissions-reference#filestoragecontainermanageall) to allow an application to create and manage container types on the owning tenant. This permission is only needed on the owning tenant where the container type is created. | ||
| - [FileStorageContainerTypeReg.Selected](/graph/permissions-reference#filestoragecontainertyperegselected) to allow an application to register the container type on consuming tenants. | ||
| - [FileStorageContainerTypeReg.Manage.All](/graph/permissions-reference#filestoragecontainertyperegmanageall) to allow an application to manage file storage container type registrations on behalf of the signed-in user. |
There was a problem hiding this comment.
This section is not meant to be exhaustive of all the SPE app permissions, just the ones required to get started with SPE. No Manage.All app perm should be required. Unfortunately, FSCT does not have a .Selected version. But FSCTR does (the one right above).
| - [FileStorageContainerTypeReg.Manage.All](/graph/permissions-reference#filestoragecontainertyperegmanageall) to allow an application to manage file storage container type registrations on behalf of the signed-in user. |
2 participants
Category
What's in this Pull Request?
Documents the FileStorageContainerTypeReg.Manage.All permission and container type owner self-service registration capability: