On May 21st, 2024, Microsoft announced the general availability of SharePoint Embedded (Announcing SharePoint Embedded General Availability | Microsoft Community Hub )
What is SharePoint Embedded?
SharePoint Embedded containers are a core component of Microsoft's SharePoint Embedded, an API-only, headless service that allows developers to integrate Microsoft 365's document management capabilities into custom applications—without exposing the traditional SharePoint user interface.
A SharePoint Embedded container (also called a File Storage Container) is a secure, app-specific storage unit created within a Microsoft 365 tenant.
These containers:
- Are accessible only via APIs (primarily Microsoft Graph).
- Do not have a user interface—users interact with them only through the app that owns them.
- Are isolated per application, ensuring that only the owning app can access its containers.
- Support granular permissions, versioning, folder structures, and collaboration features like co-authoring in Office apps.
You can think of these containers asAPI-only document libraries that live inside a tenant, but are fully managed by your application.
Each container is associated with a Container Type, which defines:
- Access privileges: Only the owning application can access containers of its type.
- Billing model: Either trial (free, limited use) or standard (billed via Azure).
- Behavioural settings: Such as lifecycle policies, compliance, and collaboration features.
There’s a 1:1 relationship between an application and its container type. Developers can choose between:
- Trial Container Types: For development/testing, limited to 5 containers and 1 GB each.
- Standard Container Types: For production use, with full billing and scalability options
How does WithSecure Elements Collaboration Protection interact with these containers?
SharePoint Embedded Containers are currently NOT supported by WithSecure Elements Collaboration Protection.
Unlike traditional SharePoint Sites, where access is granted by the SharePoint Administrator, the SharePoint Embedded containers are fully isolated and owned by the application that uses them, meaning they are not accessible by Elements Collaboration Protection.
This means that currently the respective sites will be reported as “unavailable” in the SharePoint view in the portal.
These Embedded Containers can be easily identified in the Collaboration Protection “Site” field when they contain “/contentstorage/” as part of the URL.
If the application using the container deals with untrusted files, for example uploads from a user, we recommend the applications integrates with WithSecure Atlant to analyze this content.
WithSecure is evaluating how we can support these containers in the future.