SharePoint Connector: Clarification on Files.Read.All Requirement for Graph API

[adamhaber]

The Microsoft SharePoint documentation mentions the need for the Files.Read.All permission on Microsoft Graph API. This permission grants the service principal read access to every file across all SharePoint Online sites, which raises some security and privacy concerns for us. We would like to explore whether more granular permissions could work instead.

Is Files.Read.All strictly required for the connector to function, or is it mainly recommended to ensure programmatic access to the relevant files? Alternatively, would it be feasible to use the Sites.Selected permission, assigning the read role specifically to the SharePoint Online sites involved? We are considering creating a permissions object as specified here to limit access scope.

Any guidance or clarification on this would be very helpful! Thank you for your support.