Why is application permission granted so much privilege on Azure?

Question

I am trying to access files on my SharePoint site from AWS Lambda. From various articles from learn.microsoft, I would require to register an application and add API permission 'Files.Read.All' to my application.

However, the mentioned permission grants my application to read all files in all sites, but I only want my application to be able to read the files in my site (principal of least privilege).

So why is Azure giving application permission so much privilege? Or is there other permissions that I should be giving to my application?

EDIT: As asked on why this is related to Azure, I believe my AWS Lambda would need an access token before I can call any SharePoint API, and in order for the access token to have related permissions, I would need to register app > grant permission.

Answer 1

Note that: You can restrict the Azure AD application to access specific SharePoint site collections but cannot restrict access to specific files or folders.

To restrict the Azure AD application to particular SharePoint site, grant the below API permission:

And make use of below PowerShell script:

$siteUrl = “https://xxx.sharepoint.com/sites/testruk”
$clientId = “ClientID” 
$certThumbprint = “Thumbprint” 
$tenant = “xxx.onmicrosoft.com”

Connect-PnPOnline -Url $siteUrl -Interactive
$writeperm = Grant-PnPAzureADAppSitePermission -Permissions “Write” -Site $siteUrl -AppId $clientId -DisplayName “PowerShell-SharepointOnline”
$PermissionId = Get-PnPAzureADAppSitePermission -AppIdentity $clientId
Set-PnPAzureADAppSitePermission -Site $siteurl -PermissionId $(($PermissionId).Id) -Permissions “FullControl”

I am able to access the SharePoint site using the application:

Connect-PnPOnline -Url $siteUrl -ClientId $clientId -Thumbprint $certThumbprint -Tenant $tenant

When I tried to access another SharePoint site, I got 403 error:

• Microsoft Graph permissions are tenant wide and cannot be restricted.
• If the Files.Read.All application permission granted has been granted to the application, then application will be able to access files from any OneDrive in the organization and it cannot be restricted.
• Full level access permissions are given to the Azure AD App if it is granted application type permissions.

References:

How to allow my app without user to access ONLY specific drive or folder - Microsoft Q&A by Vasil Michev

Graph API - Restrict OneDrive/Sharepoint Access when using "Files.ReadWrite.All" and "Sites.ReadWrite.all" Permissions - Microsoft Q&A by CarlZhao-MSFT