A client requisted an app registration with access to a SharePoint online site. When checking the permissions needed I found out that only Graph API application permissions Sites.ReadWrite.All were available to configure.
As I always want to give permissions based on the ‘leaste privilege principle’ I needed a solution to narrow the permissions down.
So to narrow this down and give the AppRegistration permissions to a single site we need PowerShell.
Make sure you have PowerShell 7.2 or above and follow the steps below.
Copy the ApplicationID and displayname of the AppRegistration you created.
# Install PnP.Powershell moduleInstall-Module PnP.PowerShell
# Target site URL – Enter the SharePoint Online URL where you want to give permissions to.
# The -Interactive part is needed to supported logon with MFA enabled. $targetSiteURL = 'https://<companyname>.sharepoint.com/sites/<sitename>
Connect-PnPOnline -Url $targetSiteURL -Interactive
# Grant the permissionsGrant-PnPAzureADAppSitePermission -AppID '<AppID>' -DisplayName '<DisplayName>' -Site $targetSiteURL -Permissions Write
# Check if the permissions are set correctly.Get-PnPAzureADAppSitePermission
Leave a Reply