From 26cdf324d7706726bde6575ac8c2dd56fb336b6b Mon Sep 17 00:00:00 2001
From: Li Dai <daili@microsoft.com>
Date: Fri, 10 Apr 2026 11:46:17 -0700
Subject: [PATCH 1/3] Clarify behavior when both FSC.Manage.All and
 FSC.Selected are granted for admin and nonadmin

---
 docs/embedded/development/auth.md | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md
index 53354a11d..a743e9eef 100644
--- a/docs/embedded/development/auth.md
+++ b/docs/embedded/development/auth.md
@@ -41,9 +41,20 @@ SharePoint Embedded applications need to request the following Microsoft Graph p
 
 #### Access on behalf of a user
 
-SharePoint Embedded operations [on behalf of a user](/graph/auth-v2-user) require applications to receive consent for Microsoft Graph **[FileStorageContainer.Selected](/graph/permissions-reference#filestoragecontainerselected)** delegated permission.
+SharePoint Embedded operations [on behalf of a user](/graph/auth-v2-user) support two Microsoft Graph permissions: **[FileStorageContainer.Selected](/graph/permissions-reference#filestoragecontainerselected)**, which allows an application to access containers on behalf of the signed-in user, and **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)**, which allows an application to utilize file storage container administration capabilities on behalf of an administrator.
 
-In addition to your application receiving consent for **[FileStorageContainer.Selected](/graph/permissions-reference#filestoragecontainerselected)** on a consuming tenant, the user that it's acting on behalf of is required to have [user permissions](#user-permissions). The effective permissions that the application has are the intersection of the application permissions and the user permissions when acting on behalf of a user.
+For APIs that support both **FileStorageContainer.Selected** and **FileStorageContainer.Manage.All** permissions, the effective access depends on the permissions granted to the application and whether the user is an administrator.
+
+| User   | Permissions granted                                            | Effective access                                                                                                                                                     |
+| :--------------- | :------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Administrator    | FileStorageContainer.Selected                                  | The application can access containers on behalf of the user as a nonadministrator. Administrator capabilities aren't applicable.                                                           |
+| Administrator    | FileStorageContainer.Manage.All                                | The application utilizes file storage container administration capabilities on behalf of the administrator.                                                                 |
+| Administrator    | FileStorageContainer.Selected, FileStorageContainer.Manage.All | The application utilizes file storage container administration capabilities on behalf of the administrator. FileStorageContainer.Selected isn't applicable.                  |
+| Nonadministrator | FileStorageContainer.Selected                                  | The application can access containers on behalf of the nonadministrator user.                                                    |
+| Nonadministrator | FileStorageContainer.Manage.All                                | Access denied.                                                                                                                                                       |
+| Nonadministrator | FileStorageContainer.Selected, FileStorageContainer.Manage.All | The application can access containers on behalf of the nonadministrator user. FileStorageContainer.Manage.All isn't applicable.   |
+
+In addition to your application receiving consent for the required permissions on a consuming tenant, the user that it's acting on behalf of is required to have [user permissions](#user-permissions). The effective permissions that the application has are the intersection of the application permissions and the user permissions when acting on behalf of a user.
 
 > [!IMPORTANT]
 > Using SharePoint Embedded on behalf of a user is the recommended approach. This type of access enhances the security of your application. It also improves the auditability of actions performed by your application.

From a9e0f9bf91321c81ea92c4287dd37086165395d0 Mon Sep 17 00:00:00 2001
From: Li Dai <daili@microsoft.com>
Date: Fri, 10 Apr 2026 12:17:49 -0700
Subject: [PATCH 2/3] fix filestoragecontainertypemanageall link

---
 docs/embedded/development/auth.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md
index a743e9eef..a752678a6 100644
--- a/docs/embedded/development/auth.md
+++ b/docs/embedded/development/auth.md
@@ -35,7 +35,7 @@ SharePoint Embedded operations are exposed via Microsoft Graph. SharePoint Embed
 
 SharePoint Embedded applications need to request the following Microsoft Graph permissions in their application manifest to work with SharePoint Embedded:
 
-- **[FileStorageContainerType.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)** to allow an application to create and manage container types on the owning tenant. This permission is only needed on the owning tenant where the container type is created.
+- **[FileStorageContainerType.Manage.All](/graph/permissions-reference#filestoragecontainertypemanageall)** to allow an application to create and manage container types on the owning tenant. This permission is only needed on the owning tenant where the container type is created.
 - **[FileStorageContainerTypeReg.Selected](/graph/permissions-reference#filestoragecontainertyperegselected)** to allow an application to register the container type on consuming tenants.
 - **[FileStorageContainer.Selected](/graph/permissions-reference#filestoragecontainerselected)** to allow an application to access containers of the given container type on consuming tenants.
 

From 3664737ba6cfcdde2535d4198e8f2a49c2dc5770 Mon Sep 17 00:00:00 2001
From: Li Dai <daili@microsoft.com>
Date: Fri, 10 Apr 2026 12:19:50 -0700
Subject: [PATCH 3/3] update date

---
 docs/embedded/development/auth.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md
index a752678a6..2d53c441f 100644
--- a/docs/embedded/development/auth.md
+++ b/docs/embedded/development/auth.md
@@ -1,7 +1,7 @@
 ---
 title: SharePoint Embedded Authentication and Authorization
 description: This article describes the authentication and authorization model for SharePoint Embedded applications.
-ms.date: 04/02/2026
+ms.date: 04/10/2026
 ms.localizationpriority: high
 ---