It's hard to believe that the OneDrive File Picker still doesn't have fine grained OAuth scopes in 2025. Allowing read access to the whole drive just to upload one file goes against the principle of least privilege.
> It's hard to believe that the OneDrive File Picker still doesn't have fine grained OAuth scopes in 2025
We are talking about Microsoft here.
Me gets a new laptop, company allows SW instalation only from an internal portal, i don't find Teams there, i ask a colleague how does one one install Teams: IT said to download it from microsoft.com. ROTFL. Of course it does not need "elevated priviledges" to install. Of course it is installed for every account on the computer and has access to all user files.
But some people still _believe_ the (first appeared in Win95) "most secure Windows ever" lie.
One way to avoid this problem and considerably reduce the attack surface is to:
1- Create a dummy Onedrive account.
2- Share a folder on your main Onedrive to the dummy account.
3- In the dummy account, maps the shared link to a folder for easier access as if it was a normal folder. (May not be required for some apps).
4- Only lets third party apps access the dummy Onedrive account with its single folder.
This doesn’t give access to your main Onedrive account to any apps, just the files and folders under the shared folder you have shared with the dummy account.
It's hard to believe that the OneDrive File Picker still doesn't have fine grained OAuth scopes in 2025. Allowing read access to the whole drive just to upload one file goes against the principle of least privilege.
> It's hard to believe that the OneDrive File Picker still doesn't have fine grained OAuth scopes in 2025
We are talking about Microsoft here. Me gets a new laptop, company allows SW instalation only from an internal portal, i don't find Teams there, i ask a colleague how does one one install Teams: IT said to download it from microsoft.com. ROTFL. Of course it does not need "elevated priviledges" to install. Of course it is installed for every account on the computer and has access to all user files. But some people still _believe_ the (first appeared in Win95) "most secure Windows ever" lie.
One way to avoid this problem and considerably reduce the attack surface is to: 1- Create a dummy Onedrive account. 2- Share a folder on your main Onedrive to the dummy account. 3- In the dummy account, maps the shared link to a folder for easier access as if it was a normal folder. (May not be required for some apps). 4- Only lets third party apps access the dummy Onedrive account with its single folder.
This doesn’t give access to your main Onedrive account to any apps, just the files and folders under the shared folder you have shared with the dummy account.
To summarize: "Avoid OneDrive."
> In response, Microsoft is considering future improvements
Who knows, maybe it works as intended, that's MS Windows in a nutshell
They did rounded the buttons in Office 365 some months ago. /s