Tobias Maestrini

Explore SharePoint Embedded App Development: From Setup to Production Ready Apps


Best Practices SharePoint Embedded

Architecture & Concepts

From an architecture perspective, any specific app that makes use of the SP Embedded capabilites lies on top of the SharePoint Embedded layer – deeply integrated into the M365 security and compliance setup within the Microsoft 365 cloud.

custom applications

M365 apps

SharePoint Embedded

Microsoft 365 security and compliance

Microsoft Cloud

All content is stored in so-called “containers” and is retrievable via code-centric solutions. The M365 entitlements are fully available to the content (such as document management, security, collaborative authoring, sharing, search, ECM, Purview, etc.) – whereas containers and content are NOT part of the M365 entitlements (e.g. content doen’t count towards / against storage quotas and is billed via Azure). The cability for retrievable content (through search or for example Copilot) can be defined in the appropriate container setting.

There are two new SPE-specific scopes (available as app-only & app+user):

  • SPO: FileStorageContainer.Selected
  • Graph: FileStorageContainer.Selected

When you get a M365 tenant, all data will now get separated in these three default M365 storage partitions:

  1. SharePoint Online
  2. OneDrive
  3. SharePoint Embedded

A SPE File Storage Container is connected to exactly a Container Type (which is connected to an Entra ID App registration) and is – simply said – handled as a dedicated SharePoint partition for your app. Every app in the container has full control over its containers and the content.

Note

Every SPE container type can contain up to 100’000 containers.

Consider this picture that shows up the architecture relationships:

alt text

Think of these architectural segmentations:

  • Single-Tenant Apps: for apps where the creator of the app is also the user of the app (must be deveolped in the dev tenant which is meant to be the target tenant [of the consumer])
    👉 ideal scenario for LoB solutions
  • Multi-Tenant Apps: for apps where the creator of the app developed an app / service that customers can purchase (is developed in the dev tenant which can differ from [multiple] target tenant[s])
    👉 ideal scenario for SaaS solutions

Any SPE app doesn’t require an app user to be licensed with an M365 license. An app could also be accessed from outside of M365.

Permission Model

When building SPE apps, in comparison to the permission model within SharePoint Online, it’s not necessary to ask a tenant admin for broad permission rights across the whole tenant (through Sites.ReadWrite.All) to be assigned. Only the FileStorageContainer.Selected permission scope has to be granted to the related app registration, so that the app itself can create & manage containers within the tenant.

Note

Permission (roles) are always additive.

Unlike in SharePoint Online, in SPE permissions will always be valid within the whole container and it is not possible to break permission inheritance.

Important

Permissions to share the app’s content outside the app can be defined for the container.

Billing

The billing is handled via Azure meters:

  • Storage: per GB /per day
  • Graph API: per API call
  • Data egress: per GB

Billing types differ between “Standard” (means: the Provider incurs billing) and “Pass through” (means: the Customer incurs billing).

#BishopTells