How to use ExternalItem.ReadWrite.Ownedby

When working with M365 Search, it’s great to follow the principle of least privilege. The ExternalItem.ReadWrite.OwnedBy gives you a way to restrict an application to a single connection.

The problem is that the documentation (mslearn and graph permissions) does not shed any light on how to use this permission. In our project we were about to give up and grant the bolder ExternalItem.ReadWrite.All and then we tried a few things and found a way. So today I share it with you.

Minimal path to awesome

For ExternalItem.ReadWrite.OwnedBy to work, you need to authorize the application in the connection. To do this, simply send a PATCH request to the connection endpoint in the Graph API and add the app id in the body.

To show you what you need, I have created a simple shell script with a curl call, all the details are in there. It’s pretty straightforward once you know what the endpoint and payload should look like. If you prefer powershell, postman, m365-cli or something else, it should be easy to adopt the code to it. Share your thoughts and your adjustments in the comments.

I left out the token creation to keep the focus on the actual operation.

Authorize the application from the start

Another (better) way is to configure it right at the time of creating a new connection.

• search
• m365
• config
• auth
• graph
• http
• patch