From 6a64e4658ae5580c0938b0cdf6129c5d5e8a7b0e Mon Sep 17 00:00:00 2001 From: Diego Luces Date: Fri, 20 Mar 2026 11:28:54 -0700 Subject: [PATCH 1/8] Remove Container.Selected references for SharePoint Embedded The application permission "Container.Selected" on the SharePoint resource is not required anymore. This change removes all refs to this app permission in the authn & authz article. --- docs/embedded/development/auth.md | 35 +++---------------------------- 1 file changed, 3 insertions(+), 32 deletions(-) diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md index b9804e703..4f04106a7 100644 --- a/docs/embedded/development/auth.md +++ b/docs/embedded/development/auth.md @@ -1,7 +1,7 @@ --- title: SharePoint Embedded Authentication and Authorization description: This article describes the authentication and authorization model for SharePoint Embedded applications. -ms.date: 01/20/2026 +ms.date: 03/20/2026 ms.localizationpriority: high --- @@ -59,39 +59,12 @@ SharePoint Embedded operations [without a user](/graph/auth-v2-service) require Currently, there are two types of operations with exceptional access patterns: -- [Operations not exposed via Microsoft Graph](#operations-not-exposed-via-microsoft-graph) - [Operations involving searching SharePoint Embedded content](#operations-involving-searching-sharepoint-embedded-content) - [Operations that require a user license](#operations-that-require-a-user-license) > [!IMPORTANT] > Consider the repercussions of these exceptional access patterns on how your application and other applications can access SharePoint Embedded content in your container type. -#### Operations not exposed via Microsoft Graph - -There is one scenario that isn't accessible via Microsoft Graph today: - -- [SharePoint Embedded agent](./declarative-agent/spe-da.md) exposed via SharePoint REST API v2 permissions. - -To use the [SharePoint Embedded agent](./declarative-agent/spe-da.md) experience (in Preview stage) in your application, you need the `Container.Selected` permission on the `Office 365 SharePoint Online` resource: - -| Scope name | Scope ID | Type | Operation | -| :-------------------: | :----------------------------------: | :---------: | :-----------------------------------------------------------------------------------------------: | -| Container.Selected | 19766c1b-905b-43af-8756-06526ab42875 | Application | In the context of SharePoint Embedded, enables container type registration on a consuming tenant. | - -> [!NOTE] -> The `Container.Selected` permission is a hidden permission and won't show up in the Microsoft Entra admin consent experience. See [Granting admin consent for hidden permissions](#granting-admin-consent-for-hidden-permissions) for more details. - -##### Granting admin consent for hidden permissions - -[Granting admin consent](/entra/identity-platform/v2-admin-consent) for applications requesting hidden permission MUST be done by using the [admin consent URL](/entra/identity-platform/v2-admin-consent#request-the-permissions-from-a-directory-admin). Provide the consent URL to the Microsoft Entra directory administrator and ensure they [confirm a successful response](/entra/identity-platform/v2-admin-consent#successful-response). The consent URL may look like this: - -```http -https://login.microsoftonline.com/{tenant}/v2.0/adminconsent?client_id={client_id}&redirect_uri={redirect_uri}&scope={tenant_root_site_url}/.default -``` - -> [!IMPORTANT] -> Do not use the App registrations pane in the Azure portal to grant admin consent for applications that request hidden permissions. The App registrations pane will fail to validate the requested hidden permissions and will remove them from the manifest. You may use the Enterprise Applications pane in the Azure portal to view the granted hidden permissions after admin consent has been granted via the admin consent URL. - #### Operations involving searching SharePoint Embedded content This section refers only to the search scenarios in [Search Content](./content-experiences/search-content.md), and not the enumeration scenarios. @@ -159,7 +132,7 @@ Here are some actions you can take next: 1. Configure your SharePoint Embedded [application manifest](/entra/identity-platform/reference-app-manifest#requiredresourceaccess-attribute) (you can use [Microsoft Entra PowerShell](/powershell/entra-powershell/manage-apps#assign-permissions-to-an-app) or the [Azure CLI](/cli/azure/ad/app/permission#az-ad-app-permission-add)) to request the required permissions on your _owning_ tenant: - Microsoft Graph (resourceAppId: `00000003-0000-0000-c000-000000000000`) - Add: `FileStorageContainerType.Manage.All` (type: `Role`, ID: `8e6ec84c-5fcd-4cc7-ac8a-2296efc0ed9b`) to create container types on the _owning_ tenant -1. [Grant admin consent](#granting-admin-consent-for-hidden-permissions) to your application on your _owning_ tenant +1. [Grant admin consent](/entra/identity-platform/v2-admin-consent) to your application on your _owning_ tenant 1. [Create a new container type](../getting-started/containertypes.md) on the _owning_ tenant. 1. Reconfigure your SharePoint Embedded [application manifest](/entra/identity-platform/reference-app-manifest#requiredresourceaccess-attribute) to request only the required permissions on consuming tenants: - Microsoft Graph (resourceAppId: `00000003-0000-0000-c000-000000000000`) @@ -170,8 +143,6 @@ Here are some actions you can take next: - Add: `FileStorageContainerTypeReg.Selected` (type: `Role`, ID: `2dcc6599-bd30-442b-8f11-90f88ad441dc`) to register the container type on _consuming_ tenants - Add: `FileStorageContainer.Selected` (type: `Scope`, ID: `085ca537-6565-41c2-aca7-db852babc212`) to access containers on _consuming_ tenants on behalf of users - Optionally add: `FileStorageContainer.Selected` (type: `Role`, ID: `40dc41bc-0f7e-42ff-89bd-d9516947e474`) to access the container on _consuming_ tenants without a user - - Office 365 SharePoint Online (resourceAppId: `00000003-0000-0ff1-ce00-000000000000`) - - `Container.Selected` (type: `Role`, ID: `19766c1b-905b-43af-8756-06526ab42875`) to use SharePoint Embedded Agent -1. [Grant admin consent](#granting-admin-consent-for-hidden-permissions) to your application on a _consuming_ tenant (which can be the same as the owning tenant). +1. [Grant admin consent](/entra/identity-platform/v2-admin-consent) to your application on a _consuming_ tenant (which can be the same as the owning tenant). 1. [Register the container type](../getting-started/register-api-documentation.md) on the _consuming_ tenant. 1. [Create a container](/graph/api/filestoragecontainer-post) on the _consuming_ tenant From 3ca4765c9ef1319d86f4dbe011c4a16052f3f7e6 Mon Sep 17 00:00:00 2001 From: Diego Luces Date: Fri, 20 Mar 2026 12:24:21 -0700 Subject: [PATCH 2/8] Add section for user permissions in SharePoint Embedded auth page --- docs/embedded/development/auth.md | 103 ++++++++++++++++++++---------- 1 file changed, 68 insertions(+), 35 deletions(-) diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md index 4f04106a7..284391cfc 100644 --- a/docs/embedded/development/auth.md +++ b/docs/embedded/development/auth.md @@ -39,7 +39,7 @@ SharePoint Embedded applications need to request the following Microsoft Graph p - [FileStorageContainerTypeReg.Selected](/graph/permissions-reference#filestoragecontainertyperegselected) to allow an application to register the container type on consuming tenants. - [FileStorageContainer.Selected](/graph/permissions-reference#filestoragecontainerselected) to allow an application to access containers of the given container type on consuming tenants. -### Access on behalf of a user +#### Access on behalf of a user SharePoint Embedded operations [on behalf of a user](/graph/auth-v2-user) require applications to receive consent for Microsoft Graph [`FileStorageContainer.Selected`](/graph/permissions-reference#filestoragecontainerselected) delegated permission. This permission requires admin consent on the consuming tenant before any user from the tenant can consent to it. @@ -48,47 +48,16 @@ In addition to your application receiving consent for `FileStorageContainer.Sele > [!IMPORTANT] > Using SharePoint Embedded on behalf of a user is the recommended approach. This type of access enhances the security of your application. It also improves the auditability of actions performed by your application. -### Access without a user +#### Access without a user SharePoint Embedded operations [without a user](/graph/auth-v2-service) require applications to receive consent for Microsoft Graph [`FileStorageContainer.Selected`](/graph/permissions-reference#filestoragecontainerselected) application permission. This permission requires admin consent on the consuming tenant. > [!NOTE] > An administrator on the consuming tenant must consent to your application's request for permissions. Learn more [here](/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal). -### Exceptional access patterns - -Currently, there are two types of operations with exceptional access patterns: - -- [Operations involving searching SharePoint Embedded content](#operations-involving-searching-sharepoint-embedded-content) -- [Operations that require a user license](#operations-that-require-a-user-license) - -> [!IMPORTANT] -> Consider the repercussions of these exceptional access patterns on how your application and other applications can access SharePoint Embedded content in your container type. - -#### Operations involving searching SharePoint Embedded content - -This section refers only to the search scenarios in [Search Content](./content-experiences/search-content.md), and not the enumeration scenarios. - -To use [Microsoft Search](/microsoftsearch/overview-microsoft-search) on SharePoint Embedded content, you must request the Delegated [`Files.Read.All`](/graph/permissions-reference#filesreadall) Microsoft Graph permission on top of `FileStorageContainer.Selected`, normally used for SharePoint Embedded access. During the Preview stage of this feature, the `Files.Read.All` application permission grants applications access to search capabilities on all SharePoint Embedded content. - -> [!NOTE] -> Microsoft Search support for SharePoint Embedded content is in Preview and is subject to change. The access requirements for Microsoft Search on SharePoint Embedded content will align with the SharePoint Embedded authorization model in the future. Stay tuned. - -#### Operations that require a user license - -SharePoint Embedded is designed to work without the need for end users to have any kind of Microsoft 365 product licenses assigned to them. However, there are certain operations that don't abide by this principle yet. - -##### List containers - -The [List containers](/graph/api/filestorage-list-containers?tabs=http) operation returns a `403 Forbidden` response code if called on behalf of a user who doesn't have a OneDrive. There are plans to remove this dependency soon. This dependency doesn't apply to the List containers operation when called without a user context (app-only mode). - -##### Mention users in Office documents - -The common [Office experience](./content-experiences/office-experience.md) includes reviewing documents and adding comments to those documents. For users to show up in the @mentions people picker, they need to have a Microsoft 365 license assigned to them. - ### Container type application permissions -SharePoint Embedded applications need to be granted container type application permissions by the owner application before they can access containers of the given container type. Container type application permissions are granted to applications via [container type registration](../getting-started/register-api-documentation.md). +SharePoint Embedded applications need to be granted container type application permissions by the owner application before they can access containers of the given container type. Container type application permissions are granted to applications via [container type registration](../getting-started/register-api-documentation.md) in a consuming tenant. | Permission | Description | | -------------------- | ------------------------------------------------------------------------------------------------------------------ | @@ -111,7 +80,22 @@ SharePoint Embedded applications need to be granted container type application p > [!NOTE] > The combination of Microsoft Graph permissions and container type application permissions encompasses the client authorization for applications. -### Container permissions +### User permissions + +Users are granted different access levels to SharePoint Embedded based on the scenario: + +- [Accessing content in containers](#accessing-content-in-containers) +- [Managing SharePoint Embedded applications installed in the consuming tenant](#managing-sharepoint-embedded-applications-installed-in-the-consuming-tenant) +- [Managing SharePoint Embedded applications created in the owning tenant](#managing-sharepoint-embedded-applications-created-in-the-owning-tenant) + +#### Accessing content in containers + +There are two ways in which users can gain access to content in containers: + +- [Container permissions](#container-permissions) +- [Access to specific items in a container](#access-to-specific-items-in-a-container) + +##### Container permissions Any user accessing a container must be a member of the container. Membership to a container [grants users container permissions](/graph/api/filestoragecontainer-post-permissions). These permissions define the access level that users have on a given container. Container permissions only apply to access on behalf of a user and not to access without a user. A SharePoint Embedded application accessing containers without a user gets the full access defined in its [container type application permissions](#container-type-application-permissions) instead. @@ -125,6 +109,55 @@ Any user accessing a container must be a member of the container. Membership to | Manager | This role has all the permissions a Writer has, plus the permission to manage membership of the container. | | Owner | This role has all the permissions a Manager has, plus the permission to delete containers. | +##### Access to specific items in a container + +Specific items in a container can be shared with users via the [driveItem invite](/graph/api/driveitem-invite) or the [permission create](/graph/api/driveitem-post-permissions) endpoints. Sharing grants users access to the specific items, but it doesn't grant them access to the container itself or any other item in the container. For information on the access levels supported, see [permission roles](/graph/api/resources/permission#roles-property-values). + +> [!NOTE] +> For more information about sharing, see [Sharing and permissions in SharePoint Embedded](./sharing-and-perm.md). + +#### Managing SharePoint Embedded applications installed in the consuming tenant + +[SharePoint Embedded Administrators](/entra/identity/role-based-access-control/permissions-reference#sharepoint-embedded-administrator) can manage all SharePoint Embedded applications installed in the **consuming** tenant. To learn more about managing installed applications in the consuming tenant, see [Manage SharePoint Embedded applications installed in the consuming tenant](../administration/consuming-tenant-admin/cta.md). + +> [!NOTE] +> [Global Administrators](/entra/identity/role-based-access-control/permissions-reference#global-administrator) have all the permissions that SharePoint Embedded Administrators have and more, so they can also manage SharePoint Embedded applications installed in the consuming tenant. However, you should assign the least privileged role necessary to perform administrative tasks, so using the SharePoint Embedded Administrator role is recommended for managing SharePoint Embedded applications. + +#### Managing SharePoint Embedded applications created in the owning tenant + +[SharePoint Embedded Administrators](/entra/identity/role-based-access-control/permissions-reference#sharepoint-embedded-administrator) can manage all SharePoint Embedded applications created in the **owning** tenant. Additionally, any Microsoft Entra user that isn't an external identity can be assigned as an owner of a [container type](/graph/api/resources/filestoragecontainertype). Container type owners can manage that specific container type. To learn more about managing applications created in the owning tenant, see [SharePoint Embedded developer administrator](../administration/developer-admin/dev-admin.md). + +### Exceptional access patterns + +Currently, there are two types of operations with exceptional access patterns: + +- [Operations involving searching SharePoint Embedded content](#operations-involving-searching-sharepoint-embedded-content) +- [Operations that require a user license](#operations-that-require-a-user-license) + +> [!IMPORTANT] +> Consider the repercussions of these exceptional access patterns on how your application and other applications can access SharePoint Embedded content in your container type. + +#### Operations involving searching SharePoint Embedded content + +This section refers only to the search scenarios in [Search Content](./content-experiences/search-content.md), and not the enumeration scenarios. + +To use [Microsoft Search](/microsoftsearch/overview-microsoft-search) on SharePoint Embedded content, you must request the Delegated [`Files.Read.All`](/graph/permissions-reference#filesreadall) Microsoft Graph permission on top of `FileStorageContainer.Selected`, normally used for SharePoint Embedded access. During the Preview stage of this feature, the `Files.Read.All` application permission grants applications access to search capabilities on all SharePoint Embedded content. + +> [!NOTE] +> Microsoft Search support for SharePoint Embedded content is in Preview and is subject to change. The access requirements for Microsoft Search on SharePoint Embedded content will align with the SharePoint Embedded authorization model in the future. Stay tuned. + +#### Operations that require a user license + +SharePoint Embedded is designed to work without the need for end users to have any kind of Microsoft 365 product licenses assigned to them. However, there are certain operations that don't abide by this principle yet. + +##### List containers + +The [List containers](/graph/api/filestorage-list-containers?tabs=http) operation returns a `403 Forbidden` response code if called on behalf of a user who doesn't have a OneDrive. There are plans to remove this dependency soon. This dependency doesn't apply to the List containers operation when called without a user context (app-only mode). + +##### Mention users in Office documents + +The common [Office experience](./content-experiences/office-experience.md) includes reviewing documents and adding comments to those documents. For users to show up in the @mentions people picker, they need to have a Microsoft 365 license assigned to them. + ## What's next Here are some actions you can take next: From 8e72f0a597966e8592baa71f664cf53ce1da2f5a Mon Sep 17 00:00:00 2001 From: Diego Luces Date: Fri, 20 Mar 2026 12:55:46 -0700 Subject: [PATCH 3/8] fixup! Add section for user permissions in SharePoint Embedded auth page --- docs/embedded/development/auth.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md index 284391cfc..1d11be567 100644 --- a/docs/embedded/development/auth.md +++ b/docs/embedded/development/auth.md @@ -41,9 +41,9 @@ SharePoint Embedded applications need to request the following Microsoft Graph p #### Access on behalf of a user -SharePoint Embedded operations [on behalf of a user](/graph/auth-v2-user) require applications to receive consent for Microsoft Graph [`FileStorageContainer.Selected`](/graph/permissions-reference#filestoragecontainerselected) delegated permission. This permission requires admin consent on the consuming tenant before any user from the tenant can consent to it. +SharePoint Embedded operations [on behalf of a user](/graph/auth-v2-user) require applications to receive consent for Microsoft Graph [`FileStorageContainer.Selected`](/graph/permissions-reference#filestoragecontainerselected) delegated permission. -In addition to your application receiving consent for `FileStorageContainer.Selected` on a consuming tenant, the user that it's acting on behalf of is required to have [container permissions](#container-permissions). The effective permissions that the application has are the intersection of the application permissions and the user permissions when acting on behalf of a user. +In addition to your application receiving consent for `FileStorageContainer.Selected` on a consuming tenant, the user that it's acting on behalf of is required to have [user permissions](#user-permissions). The effective permissions that the application has are the intersection of the application permissions and the user permissions when acting on behalf of a user. > [!IMPORTANT] > Using SharePoint Embedded on behalf of a user is the recommended approach. This type of access enhances the security of your application. It also improves the auditability of actions performed by your application. @@ -53,11 +53,11 @@ In addition to your application receiving consent for `FileStorageContainer.Sele SharePoint Embedded operations [without a user](/graph/auth-v2-service) require applications to receive consent for Microsoft Graph [`FileStorageContainer.Selected`](/graph/permissions-reference#filestoragecontainerselected) application permission. This permission requires admin consent on the consuming tenant. > [!NOTE] -> An administrator on the consuming tenant must consent to your application's request for permissions. Learn more [here](/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal). +> An administrator on the consuming tenant must consent to your application's request for permissions. To learn more, see [Grant admin consent](/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal). ### Container type application permissions -SharePoint Embedded applications need to be granted container type application permissions by the owner application before they can access containers of the given container type. Container type application permissions are granted to applications via [container type registration](../getting-started/register-api-documentation.md) in a consuming tenant. +SharePoint Embedded applications need to be granted container type application permissions by the owning application before they can access containers of the given container type. Container type application permissions are granted to applications via [container type registration](../getting-started/register-api-documentation.md) in a consuming tenant. | Permission | Description | | -------------------- | ------------------------------------------------------------------------------------------------------------------ | From 5babb15c67eaa955b9c1e665590e50ff1046c0a6 Mon Sep 17 00:00:00 2001 From: Diego Luces Date: Fri, 20 Mar 2026 13:01:48 -0700 Subject: [PATCH 4/8] Clarify ManageContent container type permission --- docs/embedded/development/auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md index 1d11be567..c87224995 100644 --- a/docs/embedded/development/auth.md +++ b/docs/embedded/development/auth.md @@ -74,7 +74,7 @@ SharePoint Embedded applications need to be granted container type application p | DeletePermissions | Can delete other members (but not self) from the container for containers of this container type. | | DeleteOwnPermissions | Can remove own membership from the container for containers of this container type. | | ManagePermissions | Can add, remove (including self), or update members in the container roles for containers of this container type. | -| ManageContent | Can manage the content of the container | +| ManageContent | Can manage the content of the container (WriteContent plus discard checkout permission in app-only mode). | | Full | Has all permissions for containers of this container type. | > [!NOTE] From d09436a29aab68e9eee66d455c9a4469cbf3aa38 Mon Sep 17 00:00:00 2001 From: Diego Luces Date: Fri, 20 Mar 2026 13:45:22 -0700 Subject: [PATCH 5/8] Add note on membership types for SPE authz --- docs/embedded/development/auth.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md index c87224995..540635517 100644 --- a/docs/embedded/development/auth.md +++ b/docs/embedded/development/auth.md @@ -97,7 +97,12 @@ There are two ways in which users can gain access to content in containers: ##### Container permissions -Any user accessing a container must be a member of the container. Membership to a container [grants users container permissions](/graph/api/filestoragecontainer-post-permissions). These permissions define the access level that users have on a given container. Container permissions only apply to access on behalf of a user and not to access without a user. A SharePoint Embedded application accessing containers without a user gets the full access defined in its [container type application permissions](#container-type-application-permissions) instead. +Users can be assigned container permissions in two ways: + +- Direct membership. A user is directly added as a member of a container with specific permissions. +- Transitive membership. A user is a member of an [M365 group](/microsoft-365/admin/create-groups/office-365-groups) that is itself a member of a container with specific permissions. + +Membership to a container [grants users container permissions](/graph/api/filestoragecontainer-post-permissions). These permissions define the access level that users have on a given container. Container permissions only apply to access on behalf of a user and not to access without a user. A SharePoint Embedded application accessing containers without a user gets the full access defined in its [container type application permissions](#container-type-application-permissions) instead. > [!IMPORTANT] > The calling user creating a new container via delegated calls is automatically assigned the Owner role. From cd5949848973f6a671c5c9c339f1a3f57cfc2317 Mon Sep 17 00:00:00 2001 From: Diego Luces Date: Fri, 20 Mar 2026 13:49:00 -0700 Subject: [PATCH 6/8] Reformat container permissions table --- docs/embedded/development/auth.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md index 540635517..c55e735b2 100644 --- a/docs/embedded/development/auth.md +++ b/docs/embedded/development/auth.md @@ -107,12 +107,12 @@ Membership to a container [grants users container permissions](/graph/api/filest > [!IMPORTANT] > The calling user creating a new container via delegated calls is automatically assigned the Owner role. -| Permission | Description | -| ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Reader | This role allows the user to read the properties and the contents of the container. | -| Writer | This role has all the permissions a Reader has, plus the permission to create, update, and delete content inside the container, and to update applicable container properties. | -| Manager | This role has all the permissions a Writer has, plus the permission to manage membership of the container. | -| Owner | This role has all the permissions a Manager has, plus the permission to delete containers. | +| Permission | Description | +| --- | ---- | +| Reader | This role allows the user to read the properties and the contents of the container. | +| Writer | This role has all the permissions a Reader has, plus the permission to create, update, and delete content inside the container, and to update applicable container properties. | +| Manager | This role has all the permissions a Writer has, plus the permission to manage membership of the container. | +| Owner | This role has all the permissions a Manager has, plus the permission to delete containers. | ##### Access to specific items in a container From 14e541e32278dc1dc5f2dfb02119c7dec90a5be0 Mon Sep 17 00:00:00 2001 From: Diego Luces Date: Fri, 20 Mar 2026 13:49:29 -0700 Subject: [PATCH 7/8] Clarify that Owner can restore deleted containers --- docs/embedded/development/auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md index c55e735b2..6531e6d52 100644 --- a/docs/embedded/development/auth.md +++ b/docs/embedded/development/auth.md @@ -112,7 +112,7 @@ Membership to a container [grants users container permissions](/graph/api/filest | Reader | This role allows the user to read the properties and the contents of the container. | | Writer | This role has all the permissions a Reader has, plus the permission to create, update, and delete content inside the container, and to update applicable container properties. | | Manager | This role has all the permissions a Writer has, plus the permission to manage membership of the container. | -| Owner | This role has all the permissions a Manager has, plus the permission to delete containers. | +| Owner | This role has all the permissions a Manager has, plus the permission to delete containers and restore deleted containers. | ##### Access to specific items in a container From ccca998d83e6d4bb3d40c1ef3d433e0ca4997970 Mon Sep 17 00:00:00 2001 From: Diego Luces Date: Tue, 24 Mar 2026 13:33:38 -0700 Subject: [PATCH 8/8] Apply suggestion from @dluces --- docs/embedded/development/auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md index 6531e6d52..e0fc816b7 100644 --- a/docs/embedded/development/auth.md +++ b/docs/embedded/development/auth.md @@ -72,7 +72,7 @@ SharePoint Embedded applications need to be granted container type application p | AddPermissions | Can add members to the container for containers of this container type. | | UpdatePermissions | Can update (change roles of) existing memberships in the container for containers of this container type. | | DeletePermissions | Can delete other members (but not self) from the container for containers of this container type. | -| DeleteOwnPermissions | Can remove own membership from the container for containers of this container type. | +| DeleteOwnPermission | Can remove own membership from the container for containers of this container type. | | ManagePermissions | Can add, remove (including self), or update members in the container roles for containers of this container type. | | ManageContent | Can manage the content of the container (WriteContent plus discard checkout permission in app-only mode). | | Full | Has all permissions for containers of this container type. |