SharePoint and Graph API APP only permissions for Selected Sites

We all were waiting for a long time that Graph and Sharepoint API permissions should be limited to selected sites instead of full control.

Microsoft has already done the same long back for Exchange online.

Many Admins have concern with blanket permissions so it is a big relief that this can be done now with SharePoint.

I have implemented it for SharePoint API and tested it as well(possible with graph API as well), I will share the gist of the implementation.

Here are the steps:

1. Install PnP.PowerShell latest version

Install-Module -Name PnP.PowerShell -AllowPrerelease

I already had the old version of module installed so I used below command (skippublisher check was used as I was getting error in cert for new version, might be because of old PNP was signed by MS and now it is open source)

Install-Module -Name PnP.PowerShell -AllowPrerelease -Force -SkipPublisherCheck

I also got another error and for that I need to update the PowerShellGet

Install-Module PowerShellGet -Force -AllowClobber

After that I was able to install the latest PNP.PowerShell Module.

2. Second step is to register the APP in Azure AD with Sites.Selected permissions.

Run it as Global admin and accept the consent.

$password = Read-Host -AsSecureString -Prompt “Enter Password”

Register-PnPAzureADApp -ApplicationName “PowerShell-SharepointOnline” -Tenant tcs.onmicrosoft.com -Store CurrentUser -SharePointApplicationPermissions “Sites.Selected” -Username “sukhijav@techwizard.cloud” -Password $password

Ignore below:

Secure the certificate that has been generated (it is also stored in current user certificate store)

Now when you check the app registrations, you will find this APP registered with correct permissions.

3. This step will be to provide access to selected site, here is the small script:

$siteUrl = “SiteURL”

$clientId = “6d83d654-4e58-4477-a157-f9bf635eeffc” #clientid of app you just registered

$certThumbprint = “47C45F47E0E17AD419709713B3BE864A5A7190DC” #App with Sites.Selected permission

$tenant = “tcs.onmicrosoft.com”

Connect-PnPOnline -Url $siteUrl -Interactive

$writeperm = Grant-PnPAzureADAppSitePermission -Permissions “Write” -Site $siteUrl -AppId $clientId -DisplayName “PowerShell-SharepointOnline”

$PermissionId = Get-PnPAzureADAppSitePermission -AppIdentity $clientId

Set-PnPAzureADAppSitePermission -Site $siteurl -PermissionId $(($PermissionId).Id) -Permissions “FullControl”

Now you are ready to connect using Sites.Selected permissions.

Connect-PnPOnline -Url $siteUrl -ClientId $clientId -Thumbprint $certThumbprint -Tenant $tenant

I have researched thru many sites before got it working correctly, blog from Leon assisted me the most.

Now we are ready to implement it and guide our developers as it was always a challenge in the past.

Note: if you do not want to use the prelease version of PNP you can remove that and go back the current version after all the implementation is completed.

Thanks for reading …

Tech Wizard

https://techwizard.cloud

https://syscloudpro.com/

PowerShell Fast Track

2 thoughts on “SharePoint and Graph API APP only permissions for Selected Sites”

vicky says:

October 9, 2023 at 12:47 pm

Hi,I would like to assign Azure AD Application permission for selected SharePoint List Is that possible by any chance?

- Tech Wizard (Sukhija Vikas) says:
  
  October 9, 2023 at 1:05 pm
  
  You can than go with delegated permissions and delegated account can have access to the list.
  Application permissions are limited to selected sites as of now.