SharePoint and Graph API APP only permissions for Selected Sites

We all were waiting for a long time that Graph and Sharepoint API permissions should be limited to selected sites instead of full control.

Microsoft has already done the same long back for Exchange online.

Many Admins have concern with blanket permissions so it is a big relief that this can be done now with SharePoint.

I have implemented it for SharePoint API and tested it as well(possible with graph API as well), I will share the gist of the implementation.

Here are the steps:

1. Install PnP.PowerShell latest version

Install-Module -Name PnP.PowerShell -AllowPrerelease

I already had the old version of module installed so I used below command (skippublisher check was used as I was getting error in cert for new version, might be because of old PNP was signed by MS and now it is open source)

Install-Module -Name PnP.PowerShell -AllowPrerelease -Force -SkipPublisherCheck

I also got another error and for that I need to update the PowerShellGet

    Install-Module PowerShellGet -Force -AllowClobber


    After that I was able to install the latest PNP.PowerShell Module.


2. Second step is to register the APP in Azure AD with Sites.Selected permissions.

Run it as Global admin and accept the consent.

$password = Read-Host -AsSecureString -Prompt “Enter Password”

Register-PnPAzureADApp -ApplicationName “PowerShell-SharepointOnline” -Tenant -Store CurrentUser -SharePointApplicationPermissions “Sites.Selected” -Username “” -Password $password

Ignore below:

Secure the certificate that has been generated (it is also stored in current user certificate store)

Now when you check the app registrations, you will find this APP registered with correct permissions.

3.  This step will be to provide access to selected site, here is the small script:

$siteUrl = “SiteURL”

$clientId = “6d83d654-4e58-4477-a157-f9bf635eeffc” #clientid of app you just registered

$certThumbprint = “47C45F47E0E17AD419709713B3BE864A5A7190DC” #App with Sites.Selected permission

$tenant = “”

Connect-PnPOnline -Url $siteUrl -Interactive

$writeperm = Grant-PnPAzureADAppSitePermission -Permissions “Write” -Site $siteUrl -AppId $clientId -DisplayName “PowerShell-SharepointOnline”

$PermissionId = Get-PnPAzureADAppSitePermission -AppIdentity $clientId

Set-PnPAzureADAppSitePermission -Site $siteurl -PermissionId $(($PermissionId).Id) -Permissions “FullControl”

Now you are ready to connect using Sites.Selected permissions.

Connect-PnPOnline -Url $siteUrl -ClientId $clientId -Thumbprint $certThumbprint -Tenant $tenant

I have researched thru many sites before got it working correctly, blog from Leon assisted me the most.

Now we are ready to implement it and guide our developers as it was always a challenge in the past.

Note: if you do not want to use the prelease version of PNP you can remove that and go back the current version after all the implementation is completed.


Thanks for reading …

Tech Wizard

PowerShell Fast Track



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s