docs: Document container type owner capabilities in SPE auth page

Greg Joseph · Greg Joseph · commit eba7abcac137 · 2026-04-01T13:32:34.000-07:00
- Add container type owner capabilities subsection under owning tenant management
- Document permissions navigation property (roles: owner, grantedToV2)
- Document owner CRUD, permissions management, and container creation capabilities
- Add cross-tenant caveat: owners are NOT propagated to consuming tenants
- Add intersection model callout (app permissions x user permissions)
- Add auto-assignment of creator as owner and guest user exclusion
diff --git a/docs/embedded/development/auth.md b/docs/embedded/development/auth.md
@@ -132,6 +132,25 @@ Specific items in a container can be shared with users via the [driveItem invite
 
 [SharePoint Embedded Administrators](/entra/identity/role-based-access-control/permissions-reference#sharepoint-embedded-administrator) can manage all SharePoint Embedded applications created in the **owning** tenant. Additionally, any Microsoft Entra user that isn't an external identity can be assigned as an owner of a [container type](/graph/api/resources/filestoragecontainertype). Container type owners can manage that specific container type. To learn more about managing applications created in the owning tenant, see [SharePoint Embedded developer administrator](../administration/developer-admin/dev-admin.md).
 
+##### Container type owner capabilities
+
+Container type owners are managed through the [permissions](/graph/api/filestoragecontainertype-post-permissions) navigation property on the `fileStorageContainerType` resource. Each permission entry has a role of `owner` and identifies the user via `grantedToV2`.
+
+Container type owners can perform the following operations on the **owning tenant** when using an application with `FileStorageContainerType.Manage.All` in delegated mode:
+
+- **Create, read, update, and delete** the container type they own. Non-admin owners can only manage container types where they appear in the permissions collection and the calling app matches the owning application.
+- **Add and remove** other owners on the container type they own (via the permissions endpoint)
+- **Create containers** of the container type they own, as long as the calling user is a container type owner and the call is delegated (not app-only)
+
+> [!NOTE]
+> The user who creates a container type is automatically assigned as an owner. External identities (guest users) cannot be assigned as container type owners and cannot perform owner operations.
+
+> [!IMPORTANT]
+> Container type owners exist only in the owning tenant. When a container type is registered in a consuming tenant, the owner information is **not** propagated to that tenant. For example, if Contoso creates a container type with owners and registers it in Fabrikam, those Contoso users do not exist in Fabrikam's tenant and have no owner capabilities there.
+
+> [!IMPORTANT]
+> Container type owner capabilities are user permissions. The effective access is the intersection of the application permissions (Microsoft Graph permissions) and the user permissions (owner role). The application must have sufficient Graph permissions for the intersection to grant the desired access.
+
 ### Exceptional access patterns
 
 Currently, there are two types of operations with exceptional access patterns:
