Thursday, February 9, 2023

Azure AD APP API Sites.Selected

This is always an issue to control SharePoint sites permission access. If this is for the user or the Application. 

User permission can be controlled by SharePoint permission list but Application permission can not be controlled directly and that is possible from the Application configuration through graph API . 

1) Select sites.selected from API for requested App

2) Run PS script to allow respective app to connect with specific SharePoint site with provided roles only

    



Install-Module -Name PnP.PowerShell -RequiredVersion 1.12.0

Install-Module PnP.PowerShellc
Get-Command -Module PnP.Powershell

#Connect with PnP online
# NO WEBLOGIN This will work with Get-Credential ONLY having Global Admin rights
Connect-PnPOnline -Url "https://miracl.sharepoint.com/sites/testsite-1/" -Credential (Get-Credential)

#Get All Lists
Get-PnPList

1) Approach-1

Grant-PnPAzureADAppSitePermission -AppId 'e5b3606c-341c-492f-8b65-e109c94be' -DisplayName 'TESTSP' -Site 'https://miracl.sharepoint.com/sites/testsite-1' -Permissions Write
Grant-PnPAzureADAppSitePermission -AppId 'e5b3606c-341c-492f-8b65-e109c94be' -DisplayName 'TESTSP' -Site 'https://miracl.sharepoint.com/sites/testsite-1' -Permissions Read


here -DisplayName can be any name , just to recognize the configured app
below command will confirm the applied changes.
Get-PnPAzureADAppSitePermission -Site https://miracl.sharepoint.com/sites/testsite-1
2) Approach-2

Need to execute two commandlets. 
First grant Read or Write permissions. Then update it to Manage or FullControl

https://www.blimped.nl/running-application-with-limited-sharepoint-permissions/
https://www.leonarmston.com/2022/01/pnp-powershell-csom-now-works-with-sharepoint-sites-selected-permission-using-azure-ad-app/

$PermissionId = Get-PnPAzureADAppSitePermission -AppIdentity e5b3606c-341c-492f-8b65-e109c94be
# $PermissionId will return ID, Roles and Apps name and ID

Set-PnPAzureADAppSitePermission -Site https://miracl.sharepoint.com/sites/testsite-1 -PermissionId $(($PermissionId).Id) -Permissions "FullControl"
Set-PnPAzureADAppSitePermission -Site https://miracl.sharepoint.com/sites/testsite-1 -PermissionId $(($PermissionId).Id) -Permissions "Read"
Set-PnPAzureADAppSitePermission -Site https://miracl.sharepoint.com/sites/testsite-1 -PermissionId $(($PermissionId).Id) -Permissions "Write"
Set-PnPAzureADAppSitePermission -Site https://miracl.sharepoint.com/sites/testsite-1 -PermissionId $(($PermissionId).Id) -Permissions "Manage"

Revoke the Access

Connect-PnPOnline -Url $siteURL -Interactive
$PermissionId = Get-PnPAzureADAppSitePermission -AppIdentity  $appID 
Revoke-PnPAzureADAppSitePermission -PermissionId $PermissionId.Id -Force

Test with Client ID and Secret

$abc=Connect-PnPOnline -Url "https://miracl.sharepoint.com/sites/testsite-2" -ClientId "920cf67c-2973-423a-b419-" -ClientSecret "Rol8Q~WyNV_fA0IdCXWfyl5hhq2V5LA5_PMBLakt"
Get-PnPWeb

New-PnPList -Title "Contoso AD App List" -Template GenericList


###################
Complete Script is mentioned in another blog
###################



HTML

Script:

JS