How to give app access on a specific SharePoint site using Azure AD API permission
Sometime, you want to give third party applications access to a specific SharePoint online site collection using Microsoft Graph API or SharePoint API.
You can achieve this in two steps :
- Set up API Permission from App registration
- Grant app access to the specified site collection
Set up API Permissions
In azure AD, select your app registration. Then go to API permissions, click on add a permission.
Add API Access |
Select Microsoft Graph or SharePoint, then application permissions.
Pick Sites.Selected permissions, select it then click on Add permissions.
Choosing selected sites permissions |
Now your permissions are selected you must grant admin consent.
At this point, you have given to your app selected site collections permissions but you did not define what permission level to use nor what site collection can be access by your app.
Grant App access to your site collection
You will need pnp management shell to do this, your App Id, and the url of the site collection that will be accessed by your app.
$appId = "c54611f1-d8X0-4bef-9921-3000fa89b061"
$siteCollUrl = "https://contoso.sharepoint.com/sites/MySite"
$appDisplayName = "YourAppName"
write-host "Connecting to your site."
Connect-PnPOnline -Url $siteCollUrl -Interactive
write-host "Granting app $appDisplayName access"
#Granting app Write permission to the site collection.
$grant = Grant-PnPAzureADAppSitePermission -Permissions "Write" -Site $siteCollUrl -AppId $appId -DisplayName $appDisplayName
BonusThe command Grant-PnPAzureADAppSitePermission can just give Read or Write permissions. Those permissions only allow to read or add content to the existing site structure. If you want to add more elements like lists, document libraries or even customize your site interface, your app needs more access. So you must get your app permission id thanks to the following command line:
$appPermissionId = Get-PnPAzureADAppSitePermission -AppIdentity $appId
Then set the desired app permission.
Set-PnPAzureADAppSitePermission -Site $siteCollUrl -PermissionId $(($appPermissionId).Id) -Permissions "FullControl"
Available permissions are: Read, Write, Manage, FullControl.
Comments
Post a Comment