We all were waiting for a long time that Graph and Sharepoint API permissions should be limited to selected sites instead of full control.
Microsoft has already done the same long back for Exchange online.
Many Admins have concern with blanket permissions so it is a big relief that this can be done now with SharePoint.
I have implemented it for SharePoint API and tested it as well(possible with graph API as well), I will share the gist of the implementation.
Here are the steps:
Install-Module -Name PnP.PowerShell -AllowPrerelease
I already had the old version of module installed so I used below command (skippublisher check was used as I was getting error in cert for new version, might be because of old PNP was signed by MS and now it is open source)
Install-Module -Name PnP.PowerShell -AllowPrerelease -Force -SkipPublisherCheck
I also got another error and for that I need to update the PowerShellGet
Install-Module PowerShellGet -Force -AllowClobber
After that I was able to install the latest PNP.PowerShell Module.
Run it as Global admin and accept the consent.
$password = Read-Host -AsSecureString -Prompt “Enter Password”
Register-PnPAzureADApp -ApplicationName “PowerShell-SharepointOnline” -Tenant tcs.onmicrosoft.com -Store CurrentUser -SharePointApplicationPermissions “Sites.Selected” -Username “email@example.com” -Password $password
Secure the certificate that has been generated (it is also stored in current user certificate store)
Now when you check the app registrations, you will find this APP registered with correct permissions.
$siteUrl = “SiteURL”
$clientId = “6d83d654-4e58-4477-a157-f9bf635eeffc” #clientid of app you just registered
$certThumbprint = “47C45F47E0E17AD419709713B3BE864A5A7190DC” #App with Sites.Selected permission
$tenant = “tcs.onmicrosoft.com”
Connect-PnPOnline -Url $siteUrl -Interactive
$writeperm = Grant-PnPAzureADAppSitePermission -Permissions “Write” -Site $siteUrl -AppId $clientId -DisplayName “PowerShell-SharepointOnline”
$PermissionId = Get-PnPAzureADAppSitePermission -AppIdentity $clientId
Set-PnPAzureADAppSitePermission -Site $siteurl -PermissionId $(($PermissionId).Id) -Permissions “FullControl”
Now you are ready to connect using Sites.Selected permissions.
Connect-PnPOnline -Url $siteUrl -ClientId $clientId -Thumbprint $certThumbprint -Tenant $tenant
I have researched thru many sites before got it working correctly, blog from Leon assisted me the most.
Now we are ready to implement it and guide our developers as it was always a challenge in the past.
Note: if you do not want to use the prelease version of PNP you can remove that and go back the current version after all the implementation is completed.
Thanks for reading …