Clarify behavior when both FSC.Manage.All and FSC.Selected are granted for admin and nonadmin

docs/embedded/development/auth.md

@@ -1,7 +1,7 @@
 ---
 title: SharePoint Embedded Authentication and Authorization
 description: This article describes the authentication and authorization model for SharePoint Embedded applications.
-ms.date: 04/02/2026
+ms.date: 04/10/2026
 ms.localizationpriority: high
 ---
 
@@ -35,15 +35,26 @@ SharePoint Embedded operations are exposed via Microsoft Graph. SharePoint Embed
 
 SharePoint Embedded applications need to request the following Microsoft Graph permissions in their application manifest to work with SharePoint Embedded:
 
-- **[FileStorageContainerType.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)** to allow an application to create and manage container types on the owning tenant. This permission is only needed on the owning tenant where the container type is created.
+- **[FileStorageContainerType.Manage.All](/graph/permissions-reference#filestoragecontainertypemanageall)** to allow an application to create and manage container types on the owning tenant. This permission is only needed on the owning tenant where the container type is created.
 - **[FileStorageContainerTypeReg.Selected](/graph/permissions-reference#filestoragecontainertyperegselected)** to allow an application to register the container type on consuming tenants.
 - **[FileStorageContainer.Selected](/graph/permissions-reference#filestoragecontainerselected)** to allow an application to access containers of the given container type on consuming tenants.
 
 #### Access on behalf of a user
 
-SharePoint Embedded operations [on behalf of a user](/graph/auth-v2-user) require applications to receive consent for Microsoft Graph **[FileStorageContainer.Selected](/graph/permissions-reference#filestoragecontainerselected)** delegated permission.
+SharePoint Embedded operations [on behalf of a user](/graph/auth-v2-user) support two Microsoft Graph permissions: **[FileStorageContainer.Selected](/graph/permissions-reference#filestoragecontainerselected)**, which allows an application to access containers on behalf of the signed-in user, and **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)**, which allows an application to utilize file storage container administration capabilities on behalf of an administrator.
 
-In addition to your application receiving consent for **[FileStorageContainer.Selected](/graph/permissions-reference#filestoragecontainerselected)** on a consuming tenant, the user that it's acting on behalf of is required to have [user permissions](#user-permissions). The effective permissions that the application has are the intersection of the application permissions and the user permissions when acting on behalf of a user.
+For APIs that support both **FileStorageContainer.Selected** and **FileStorageContainer.Manage.All** permissions, the effective access depends on the permissions granted to the application and whether the user is an administrator.
+
+| User   | Permissions granted                                            | Effective access                                                                                                                                                     |
+| :--------------- | :------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Administrator    | FileStorageContainer.Selected                                  | The application can access containers on behalf of the user as a nonadministrator. Administrator capabilities aren't applicable.                                                           |
+| Administrator    | FileStorageContainer.Manage.All                                | The application utilizes file storage container administration capabilities on behalf of the administrator.                                                                 |
+| Administrator    | FileStorageContainer.Selected, FileStorageContainer.Manage.All | The application utilizes file storage container administration capabilities on behalf of the administrator. FileStorageContainer.Selected isn't applicable.                  |
+| Nonadministrator | FileStorageContainer.Selected                                  | The application can access containers on behalf of the nonadministrator user.                                                    |
+| Nonadministrator | FileStorageContainer.Manage.All                                | Access denied.                                                                                                                                                       |
+| Nonadministrator | FileStorageContainer.Selected, FileStorageContainer.Manage.All | The application can access containers on behalf of the nonadministrator user. FileStorageContainer.Manage.All isn't applicable.   |
+
+In addition to your application receiving consent for the required permissions on a consuming tenant, the user that it's acting on behalf of is required to have [user permissions](#user-permissions). The effective permissions that the application has are the intersection of the application permissions and the user permissions when acting on behalf of a user.
 
 > [!IMPORTANT]
 > Using SharePoint Embedded on behalf of a user is the recommended approach. This type of access enhances the security of your application. It also improves the auditability of actions performed by your application.