From 27fb04f1b04643dc604400db0cefc1453d9143df Mon Sep 17 00:00:00 2001
From: Diego Luces <dluces@users.noreply.github.com>
Date: Wed, 20 May 2026 12:43:04 -0700
Subject: [PATCH 1/5] SPE auth: fix note around app access OBO users

---
 docs/embedded/development/auth.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md
index fcf7638c7..ea3a8be64 100644
--- a/docs/embedded/development/auth.md
+++ b/docs/embedded/development/auth.md
@@ -15,7 +15,7 @@ Here are some key principles of SharePoint Embedded authentication and authoriza
 
 - Applications interact with SharePoint Embedded via Microsoft Graph.
 - Applications need container type application permissions to access containers of that container type.
-- Applications can only access containers that the user is a member of when using access on behalf of a user.
+- Applications can only access content that the user has access to when using access on behalf of a user.
 - Applications can access all containers enabled by their container type application permissions when using access without a user.
 - Applications use access on behalf of users whenever possible to enhance security and accountability.
 

From bb3f97e28944e6cf018e61e3365ff2048059d8b8 Mon Sep 17 00:00:00 2001
From: Diego Luces <dluces@users.noreply.github.com>
Date: Wed, 20 May 2026 12:43:31 -0700
Subject: [PATCH 2/5] SPE auth: recommend confidential client applications to
 stay in control

---
 docs/embedded/development/auth.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md
index ea3a8be64..926d88b5b 100644
--- a/docs/embedded/development/auth.md
+++ b/docs/embedded/development/auth.md
@@ -48,7 +48,9 @@ SharePoint Embedded operations [on behalf of a user](/graph/auth-v2-user) suppor
 - **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)** to allow an application to utilize administration capabilities on all containers of all governable container types within the consuming tenant on behalf of an administrator user. The administration capabilities include the ability to enumerate, delete, restore, purge, and update containers, and manage their permissions.
 
 > [!IMPORTANT]
-> Using SharePoint Embedded on behalf of a user is the recommended approach. This type of access enhances the security of your application. It also improves the auditability of actions performed by your application.
+>
+> - Using SharePoint Embedded on behalf of a user is the recommended approach. This type of access enhances the security of your application. It also improves the auditability of actions performed by your application.
+> - Using a confidential client application is the recommended approach to ensure your application remains in control of actions taken on behalf of a user. A pubic client application may expose user tokens to the end-user, which may lead to actions being taken outside of your application's control. See [Public client and confidential client applications](/entra/identity-platform/msal-client-applications) to learn more.
 
 #### Access without a user
 

From 4df82040a43da03ad1e65967eca0b67ce6267686 Mon Sep 17 00:00:00 2001
From: Diego Luces <dluces@users.noreply.github.com>
Date: Wed, 20 May 2026 12:44:16 -0700
Subject: [PATCH 3/5] SPE auth: remove note to delete FSCTR.Selected from
 manifest

---
 docs/embedded/development/auth.md | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md
index 926d88b5b..92153dd5b 100644
--- a/docs/embedded/development/auth.md
+++ b/docs/embedded/development/auth.md
@@ -239,9 +239,4 @@ Here are some actions you can take next:
 
 1. [Grant admin consent](/entra/identity-platform/v2-admin-consent) to your application on a _consuming_ tenant (which can be the same as the owning tenant).
 1. [Register the container type](../getting-started/register-api-documentation.md) on the _consuming_ tenant.
-1. Remove **[FileStorageContainerTypeReg.Selected](/graph/permissions-reference#filestoragecontainertyperegselected)** from your application's manifest after registration is complete.
-
-    > [!NOTE]
-    > After registering the container type, you should remove the **[FileStorageContainerTypeReg.Selected](/graph/permissions-reference#filestoragecontainertyperegselected)** permission from your application's manifest. This permission is only needed during registration setup. Keeping it after registration unnecessarily increases your application's permission surface.
-
 1. [Create a container](/graph/api/filestoragecontainer-post) on the _consuming_ tenant

From 517e86be968db25cffd117a8660b242bed353fdc Mon Sep 17 00:00:00 2001
From: Andrew Connell <me@andrewconnell.com>
Date: Thu, 21 May 2026 05:42:12 -0400
Subject: [PATCH 4/5] docs(spe): update auth article

- address acrolinx findings
- revert `ms.date` to original publication date; rendering engine
  shows last modified date dynamically from git history
---
 docs/embedded/development/auth.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md
index 92153dd5b..fdc066d73 100644
--- a/docs/embedded/development/auth.md
+++ b/docs/embedded/development/auth.md
@@ -1,7 +1,7 @@
 ---
 title: SharePoint Embedded Authentication and Authorization
 description: This article describes the authentication and authorization model for SharePoint Embedded applications.
-ms.date: 02/04/2026
+ms.date: 11/21/2023
 ms.localizationpriority: high
 ---
 
@@ -50,7 +50,7 @@ SharePoint Embedded operations [on behalf of a user](/graph/auth-v2-user) suppor
 > [!IMPORTANT]
 >
 > - Using SharePoint Embedded on behalf of a user is the recommended approach. This type of access enhances the security of your application. It also improves the auditability of actions performed by your application.
-> - Using a confidential client application is the recommended approach to ensure your application remains in control of actions taken on behalf of a user. A pubic client application may expose user tokens to the end-user, which may lead to actions being taken outside of your application's control. See [Public client and confidential client applications](/entra/identity-platform/msal-client-applications) to learn more.
+> - Using a confidential client application is the recommended approach to ensure your application remains in control of actions taken on behalf of a user. A pubic client application may expose user tokens to the end user, which may lead to actions being taken outside of your application's control. See [Public client and confidential client applications](/entra/identity-platform/msal-client-applications) to learn more.
 
 #### Access without a user
 
@@ -196,7 +196,7 @@ The common [Office experience](./content-experiences/office-experience.md) inclu
 
 The **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)** permission requires the signed-in user to be a SharePoint Embedded Administrator or Global Administrator.
 
-If the user is not an administrator, **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)** does not grant the application any permissions:
+If the user isn't an administrator, **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)** doesn't grant the application any permissions:
 - If only **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)** is granted, the application will get an access denied error when trying to access the container on behalf of the non-admin user.
 - If both **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)** and **[FileStorageContainer.Selected](/graph/permissions-reference#filestoragecontainerselected)** are granted, **[FileStorageContainer.Manage.All](/graph/permissions-reference#filestoragecontainermanageall)** will be ignored.
 

From 43e00ed5c1d968f5fd5c71abb665df24d84695bf Mon Sep 17 00:00:00 2001
From: Diego Luces <dluces@users.noreply.github.com>
Date: Thu, 21 May 2026 14:35:25 -0700
Subject: [PATCH 5/5] Fix typo in auth.md regarding client applications

---
 docs/embedded/development/auth.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md
index fdc066d73..754ddda9a 100644
--- a/docs/embedded/development/auth.md
+++ b/docs/embedded/development/auth.md
@@ -50,7 +50,7 @@ SharePoint Embedded operations [on behalf of a user](/graph/auth-v2-user) suppor
 > [!IMPORTANT]
 >
 > - Using SharePoint Embedded on behalf of a user is the recommended approach. This type of access enhances the security of your application. It also improves the auditability of actions performed by your application.
-> - Using a confidential client application is the recommended approach to ensure your application remains in control of actions taken on behalf of a user. A pubic client application may expose user tokens to the end user, which may lead to actions being taken outside of your application's control. See [Public client and confidential client applications](/entra/identity-platform/msal-client-applications) to learn more.
+> - Using a confidential client application is the recommended approach to ensure your application remains in control of actions taken on behalf of a user. A public client application may expose user tokens to the end user, which may lead to actions being taken outside of your application's control. See [Public client and confidential client applications](/entra/identity-platform/msal-client-applications) to learn more.
 
 #### Access without a user