If you configure SQList to use Azure AD Application Permissions to export items from a SharePoint list that implements Item Level Permission, you must be aware that granting Site.Read.All permission in Azure AD is not enough for that list to be exported.
1. We have a list named "Test list" in SharePoint Online which implements Item Level Permissions:
Note that the list contains 5 items, 3 created by an Owner account (Francesco) and 2 created by a Contributor account.
In the list's settings, we have selected to let users only read items they have created (note that this limitation does not apply to Owner users).
2. In Azure, we have configured Azure AD Application Permissions authentication for SQList
We have granted Sites.ReadAll permission to the application.
See this article for more details about setting up this type of authentication:
3. In SQList, we created 3 replications, one for each authentication method
- TestAdmin: uses the Owner account;
- TestPublic: uses the Member account;
- TestAD: uses the Azure AD authentication.
4. We run SQList to exports the lists
- All 5 items when connecting using the Owner account;
- The 2 items created by the Member account when connecting using the Member account;
- No items when connecting using the Azure AD authentication.
Our assumption is that SharePoint treats the Azure AD account as if it were a regular Visitor user account and therefore does not allow it to see any items.
5. We then granted FullControl to the Azure AD authentication
6. We re-run SQList
This time SQList was able to export all items from the list for the AD Account (just like with the Owner account).
Based on our tests, we have concluded that, when it comes to permissions, Azure AD Authentication is treated by SharePoint as any other user.
Therefore, Read.All permission corresponds to a "Visitor" while a FullControl.All to an "Owner".
Be aware that Sites.FulControl.All gives full access to all sites in the site collection, so you should grant this permission only if absolutely necessary.
Also, note that there may be other combinations of permissions that may achieve the same result, but we have not tried them as they are outside the scope of this test.