Use Sites.Selected application permission in Microsoft Graph

You are building an application that accesses your Sharepoint trough the Microsoft Graph API. For a long time there was only the option to give your application access to “Sharepoint”. Meaning it has potential access to everything on there. Concerning security this is not good because suddenly all confidential data is accessible through one app.

Then Microsoft released a new API permission that’s called "Sites.Selected”. This permission allows you to grant permissions on site collection level, but needs additional setup to work., that I will show you in this article.

available api permission scopes for sites

Prerequisites

To do this, we need two app registration. One is associated with the application we are creating and the other one is solely used for permission administration.

The admin app needs the following api permission scope: Sites.FullControl.All (as this permission is very powerful, be mindful about giving out credentials)

The project app now only need the Sites.Selected scope.

Create a permission on the site collection

First you need to identify the site id of your site collection. You can easily get this by using your browser.
https://<tenant>.sharepoint.com/sites/<site-url>/_api/site/id

<d:Id 
  xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" 
  xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" 
  xmlns:georss="http://www.georss.org/georss" 
  xmlns:gml="http://www.opengis.net/gml" 
  m:type="Edm.Guid">
  THIS_IS_YOUR_ID
</d:Id>

With that out of the way we can now create a permission on that site collection. Use the following endpoint:

POST https://graph.microsoft.com/v1.0/sites/{sitesId}/permissions

To make the request complete we need to add a JSON-Body.

{
  "roles": ["write"],
  "grantedToIdentities": [{
    "application": {
      "id": "YOUR_APPS_CLIENT_ID",
      "displayName": "YOUR_APPS_NAME"
    }
  }]
}

Role options: read, write, owner
Replace id with the client id of your project’s app registration.
The displayname does not have to match but to keep it simple, use the name of the app registration.

When this is done you can use your app registration to connect to this site collection as you are used to.

Previous
Previous

Use Azure Key Vault with Azure Functions

Next
Next

Getting started with Microsoft Graph in C#