Controlling app access on a specific SharePoint site collections

Imagine facing a significant challenge when your automation processes suddenly fail due to expired SharePoint secrets, interrupting access to a key SharePoint site and bringing operations to a halt. After reaching out to the IT team, they promptly replaced the outdated app in Azure Apps with a new one, generating fresh credentials — tenant ID, secrets, and Application (Client) ID. These credentials are vital for our automation workflows, enabling access to the SharePoint platform, including specific sites.

However, a new challenge arose when the IT team assigned the “Sites.Selected” permission under Microsoft Graph Sites. By default, this permission does not grant access to any SharePoint site collections unless explicitly configured. With only the “Sites.Selected” permission assigned, the application was denied access to the necessary SharePoint sites.

To ensure access to specific sites within SharePoint, explicit permissions need to be defined for each site. Both the IT team and your team need to collaborate and follow specific steps when setting up permissions for newly created applications.

In this post, I’ll outline these collaborative steps to help ensure full access to SharePoint sites moving forward.

Steps:

1. Azure App Setup (Initial Configuration)

  • Azure App Creation: The IT team creates the app in Azure AD and shares App name, App(Client ID), Tenant ID and Secrets with you.
  • Permission Assignment: The app is assigned the “Sites.Selected” permission. This does not automatically grant access to any SharePoint site but enables specific access to be configured later via the Microsoft Graph API.
Microsoft Graph Sites

2. App Attempts to Access SharePoint Site

  • App Request: The app attempts to access a SharePoint site collection (e.g., to read/write data).
  • Initial Denial: Since the app has only the “Sites.Selected” permission, access is denied to any SharePoint site unless permissions are explicitly granted.

3. Admin Grants Site Permissions (via Microsoft Graph API)

  • You’ve to make and share an API with IT team which SharePoint admin will call to provide access to a specific site(MSSP) with in the SharePoint.
  • API Call (POST /permissions): Following API will be called on Graph explorer by SharePoint admin:
Method: POST
API: https://graph.microsoft.com/v1.0/sites/site_id_comes_here/permissionsRequest Body:
{
    "roles": [
        "read",
        "write"
    ],
    "grantedToIdentities": [
        {
            "application": {
                "id": "application_id_comes_here",
                "displayName": "application_name_comes_here"
            }
        }
    ]
}
Graph Explorer

Replace Application ID and display name with the new App data shared by IT team. Get Site ID from IT team if it is handled by IT team, if it is handled by you team you can get it easily by making following API call on Graph Explorer.

GET https://graph.microsoft.com/v1.0/sites?search=your_site_name.

Graph Explorer
  • Roles & Permissions: The request grants specific roles (e.g., “read” or “write”) for the SharePoint site, defining what actions the app can perform.

4. App Receives Access

  • Access Granted: Once the API call is successful, the app receives the necessary permissions (e.g write, read) for the specified SharePoint site.
Site access workflow

This setup will surely give you required access, you can ask if any assistance is required.

About the Author:

Muhammad Zeeshan

Security Engineer at Ebryx | Cyber Security | SOC | Cloud

Reference:

Zeeshan, M (2024). Controlling app access on a specific SharePoint site collections. Available at: Controlling app access on a specific SharePoint site collections | by Muhammad Zeeshan | Sep, 2024 | Medium [Accessed: 26th September 2024].

Share this on...

Rate this Post:

Share: