NIC Documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Welcome!
  2. /
  3. Technical
  4. /
  5. SharePoint Online - Access to Specific Sites
Edit page

SharePoint Online - Access to Specific Sites

SharePoint Online - Selected Site

Information

For some reason, the “Sites.FullControl.All” permission is needed to the Applicaiton Registration Permissions in order to add Read Access to a spesific site. The “Sites.FullControl.All” can be later on be removed, once all needed read permissions are added. We also think this is strange but trust us, we have tried to complete this task without this access and it has never been successfull.

OBS: You will need to be able to use the Graph API or PnP.PowerShell in order to complete this task.

Visual Demonstration 

flowchart LR
A(App Reg.) --> |Add Permissions| B(Sites.Selected, Sites.FullControl.All)
B(Sites.Selected, Sites.FullControl.All) --> C{Tool}
C --> |PnP.PowerShell| D(Role:Read to Site Id)
C --> |MS Graph API| E(Role:Read to Site Id)
D --> |Remove: Sites.FullControl.All| F(Permissions: Sites.Selected)
E --> |Remove: Sites.FullControl.All| F(Permissions: Sites.Selected)
Prerequisites

You need to have permissions to create App Registrations in Azure Active Directory in order to complete this.

Read more at Microsoft

Actions to take:

  1. Login to Azure: portal.azure.com

  2. Open Azure Active Directory

  3. Navigate to App registrations and select New registration

  4. Enter a Name and press Register (leave all else as default)

  5. Navigate to API permissions and select Add a permission

  6. Select tab Microsoft APIs > Microsoft Graph > Application permission

    • Sites.Selected
    • Sites.FullControl.All (will be removed later)

  7. Add the Read Role to the Application for each SharePoint Site by using either PnP.PowerShell or Microsoft Graph API

    Video on youtube from Microsoft Expert

    Through PnP.PowerShell 

    Connect-PnPOnline 'https://{tenant}.sharepoint.com/sites/{site}' -Interactive
## Example: https://contoso.sharepoint.com/sites/demosite

## Do this for each site that the Application Registration should have access to.
Grant-PnPAzureADAppSitePermission -AppId $AppRegId -DisplayName $NameOfAppReg -site $site -Permissions Read

## Example: Grant-PnPAzureADAppSitePermission -AppId '0a00a000-000a-11a1-1111-0000a0a0a0a0' -DisplayName 'Demo-AppReg' -site 'https://contoso.sharepoint.com/sites/demosite' -Permissions Read

    Through Microsoft Graph API 

    POST https://graph.microsoft.com/v1.0/sites/{siteId}/permissions

Content-Type: application/json
{
"roles": ["read"],
"grantedToIdentities": [{
    "application": {
    "id": "0a00a000-000a-11a1-1111-0000a0a0a0a0",
    "displayName": "AppName"
    }
}]
}

  8. Remove the Sites.FullControl.All permission in the Application Registrations view.