Step 3: Set-up API Permissions in Azure - Graph API

24Files operates using delegated permissions because it is designed to work with an integration user rather than relying on the client credentials grant flow. As a result, application permissions (which are typically used in system-to-system authentication) are not supported in 24Files.

A few more words on the permission:

Files.ReadWrite.All — access to files you can access (read/write)

This allows 24Files to create, read, update, and delete files in SharePoint that you have access to. We use this to: upload files, update file versions, and manage documents in the connected location.

Sites.ReadWrite.All — access to SharePoint sites you can access (read/write)

This allows the app to create, read, update, and delete items in SharePoint site collections that you have access to. We use this to: browse SharePoint sites/libraries and write documents to the correct SharePoint library.

 User.Read — basic profile information

This lets 24Files read basic profile info (name, user ID/email) to identify the signed-in user and complete the sign-in process.

openid — sign-in

This is required to sign you in securely using Microsoft.

offline_access — keep access when you are not actively signed in

This allows the app to keep the connection active (via a refresh token) so it does not require you to log in again each time and can continue to perform authorized actions without interrupting users.

important notes

• 24Files can only access files/sites that the signed-in user is allowed to access in SharePoint, as we make use of delegated permissions.

• Because read/write permissions include delete capability, we recommend:

  • connecting with a dedicated service account (if your IT policy requires it), and/or

  • restricting that account’s SharePoint access to only the libraries needed for the integration.