How to give app access on a specific SharePoint site using Azure AD API permission

Sometime, you want to give third party applications access to a specific SharePoint online site collection using Microsoft Graph API or SharePoint API. 

You can achieve this in two steps :

  1. Set up API Permission from App registration
  2. Grant app access to the specified site collection


Set up API Permissions

In azure AD, select your app registration. Then go to API permissions, click on add a permission.

Add API Access


Select Microsoft Graph or SharePoint, then application permissions.

Pick Sites.Selected permissions, select it then click on Add permissions.

Choosing selected sites permissions

Now your permissions are selected you must grant admin consent.


At this point, you have given to your app selected site collections permissions but you did not define what permission level to use nor what site collection can be access by your app.

Grant App access to your site collection

You will need pnp management shell to do this, your App Id, and the url of the site collection that will be accessed by your app.

$appId = "c54611f1-d8X0-4bef-9921-3000fa89b061"
$siteCollUrl = "https://contoso.sharepoint.com/sites/MySite"
$appDisplayName = "YourAppName"

write-host "Connecting to your site."
Connect-PnPOnline -Url $siteCollUrl -Interactive

write-host "Granting app $appDisplayName access"
#Granting app Write permission to the site collection.
$grant = Grant-PnPAzureADAppSitePermission -Permissions "Write" -Site $siteCollUrl -AppId $appId -DisplayName $appDisplayName
Bonus

The command Grant-PnPAzureADAppSitePermission can just give Read or Write permissions. Those permissions only allow to read or add content to the existing site structure. If you want to add more elements like lists, document libraries or even customize your site interface, your app needs more access. So you must get your app permission id thanks to the following command line:

$appPermissionId = Get-PnPAzureADAppSitePermission -AppIdentity $appId

Then set the desired app permission. 

Set-PnPAzureADAppSitePermission -Site $siteCollUrl -PermissionId $(($appPermissionId).Id) -Permissions "FullControl"

Available permissions are: Read, Write, Manage, FullControl.


 

Location: Montreal, QC, Canada

Comments

Post a Comment

Popular posts from this blog

Ensure SharePoint User with Power Automate

Image
 I had to set custom permission and grant access to some users based on their email address. All those users were member of the organization so they exist in our Azure Active directory (AAD). B ut, to set this permission, user must exist in the SharePoint information list too. So I used a function named:  EnsureUser . As its name suggests, this function ensures there is a record of the current user in the user information list in the current Site collection. To call this function with Power Automate, I used the Send HTTP request SharePoint Connector like below. Site address : Your site address. Method : POST URI : _api/web/ensureuser Header :  Accept: application/json;odata=verbose Content-Type: application/json;odata=verbose Body:  { 'logonName': 'i:0#.f|membership|jane.doe@yourDomain.com' } If the HTTP call is successful, the output will  give you: User id (from the user information list) User name (property Title ) User email UPN (User Principal Name) Is admin of cu
Read more

Guest user can't access Client Side Assets resources in SharePoint App Catalog site

Image
When using third party web part or custom web part, there is a property named includeClientSideAssets that push resources to Client Site Assets library of the SharePoint App catalog site. Anytime a user is using one of those web parts, he will retrieve resources from this centralized area. This Client site assets library is hidden and is at least read-only for every member of your organization but it is not accessible to external user. As consequence external users are getting errors like below. [SPLoaderError.loadComponentError]: Failed to load component "544c1372-42df-47c3-94d6-017428cd2baf" (pnpSearchResultsWebPart). Original error: Failed to load path dependency "SearchResultsWebPartStrings" from component "544c1372-42df-47c3-94d6-017428cd2baf" (pnpSearchResultsWebPart). Original error: Error loading https://component-id.invalid/544c1372-42df-47c3-94d6-017428cd2baf_4.1.0/SearchResultsWebPartStrings Unable to load script https://mytenant.sharepoint.co
Read more