You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/embedded/development/auth.md
+17-1Lines changed: 17 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,7 +36,8 @@ SharePoint Embedded operations are exposed via Microsoft Graph. SharePoint Embed
36
36
SharePoint Embedded applications need to request the following Microsoft Graph permissions in their application manifest to work with SharePoint Embedded:
37
37
38
38
-[FileStorageContainerType.Manage.All](/graph/permissions-reference#filestoragecontainermanageall) to allow an application to create and manage container types on the owning tenant. This permission is only needed on the owning tenant where the container type is created.
39
-
-[FileStorageContainerTypeReg.Selected](/graph/permissions-reference#filestoragecontainertyperegselected) to allow an application to register the container type on consuming tenants.
39
+
-[FileStorageContainerTypeReg.Selected](/graph/permissions-reference#filestoragecontainertyperegselected) to allow an application to register the container type on consuming tenants. This permission is intended for the owning application.
40
+
-[FileStorageContainerTypeReg.Manage.All](/graph/permissions-reference#filestoragecontainertyperegmanageall) to allow an application to manage file storage container type registrations on behalf of the signed-in user. This permission is used by non-owning applications and administrative tools.
40
41
-[FileStorageContainer.Selected](/graph/permissions-reference#filestoragecontainerselected) to allow an application to access containers of the given container type on consuming tenants.
41
42
42
43
#### Access on behalf of a user
@@ -132,6 +133,21 @@ Specific items in a container can be shared with users via the [driveItem invite
132
133
133
134
[SharePoint Embedded Administrators](/entra/identity/role-based-access-control/permissions-reference#sharepoint-embedded-administrator) can manage all SharePoint Embedded applications created in the **owning** tenant. Additionally, any Microsoft Entra user that isn't an external identity can be assigned as an owner of a [container type](/graph/api/resources/filestoragecontainertype). Container type owners can manage that specific container type. To learn more about managing applications created in the owning tenant, see [SharePoint Embedded developer administrator](../administration/developer-admin/dev-admin.md).
134
135
136
+
##### Container type owner self-service registration
137
+
138
+
Container type owners can register their container types in tenants where the container type is local (owning tenant equals consuming tenant). This requires:
139
+
140
+
- The application has `FileStorageContainerTypeReg.Manage.All` delegated permission
141
+
- The calling user is a container type owner (appears in the permissions collection on the container type)
142
+
- The call is delegated (not app-only)
143
+
- The calling user is not a guest user
144
+
- The tenant administrator has not disabled self-service container type registration
145
+
146
+
This enables developers to register their own container types without requiring a SharePoint Embedded Administrator to perform the registration on their behalf.
147
+
148
+
> [!NOTE]
149
+
> Self-service registration is only available for tenant-local container types. Container type owners exist only in the owning tenant and are not propagated to consuming tenants. For cross-tenant registration scenarios, use `FileStorageContainerTypeReg.Selected` with the owning application.
150
+
135
151
### Exceptional access patterns
136
152
137
153
Currently, there are two types of operations with exceptional access patterns:
0 commit comments