How to give app access on a specific SharePoint site using Azure AD API permission

Sometime, you want to give third party applications access to a specific SharePoint online site collection using Microsoft Graph API or SharePoint API. 

You can achieve this in two steps :

  1. Set up API Permission from App registration
  2. Grant app access to the specified site collection


Set up API Permissions

In azure AD, select your app registration. Then go to API permissions, click on add a permission.

Add API Access


Select Microsoft Graph or SharePoint, then application permissions.

Pick Sites.Selected permissions, select it then click on Add permissions.

Choosing selected sites permissions

Now your permissions are selected you must grant admin consent.


At this point, you have given to your app selected site collections permissions but you did not define what permission level to use nor what site collection can be access by your app.

Grant App access to your site collection

You will need pnp management shell to do this, your App Id, and the url of the site collection that will be accessed by your app.

$appId = "c54611f1-d8X0-4bef-9921-3000fa89b061"
$siteCollUrl = "https://contoso.sharepoint.com/sites/MySite"
$appDisplayName = "YourAppName"

write-host "Connecting to your site."
Connect-PnPOnline -Url $siteCollUrl -Interactive

write-host "Granting app $appDisplayName access"
#Granting app Write permission to the site collection.
$grant = Grant-PnPAzureADAppSitePermission -Permissions "Write" -Site $siteCollUrl -AppId $appId -DisplayName $appDisplayName
Bonus

The command Grant-PnPAzureADAppSitePermission can just give Read or Write permissions. Those permissions only allow to read or add content to the existing site structure. If you want to add more elements like lists, document libraries or even customize your site interface, your app needs more access. So you must get your app permission id thanks to the following command line:

$appPermissionId = Get-PnPAzureADAppSitePermission -AppIdentity $appId

Then set the desired app permission. 

Set-PnPAzureADAppSitePermission -Site $siteCollUrl -PermissionId $(($appPermissionId).Id) -Permissions "FullControl"

Available permissions are: Read, Write, Manage, FullControl.


 

Comments

Popular posts from this blog

Remove News Source Tag Color Block to news web part

Approve and publish SharePoint file using Power Automate

Guest user can't access Client Side Assets resources in SharePoint App Catalog site