Over the past year Microsoft have released Sites.Selected permissions for both Microsoft Graph & SharePoint which can be given to an Azure AD App (App Registration). When created the app by default with Sites.Selected permissions does not have access to any SharePoint sites and has to be explicitly added added using Microsoft Graph or PnP PowerShell (Grant-PnPAzureADAppSitePermission) to the site(s) to be administered. Both processes only give the access Read or Write permissions to the site and not Full Control.
See my earlier blogs on Sites.Selected for Microsoft Graph & SharePoint:
- Microsoft Graph: Testing out the new Microsoft Graph SharePoint (specific site collection) app permissions with PnP PowerShell
- SharePoint: PnP PowerShell/CSOM Now Works With SharePoint Sites.Selected Permission using Azure AD App
I did some testing of the permissions and the Write permission is unfortunately more like a standard Contribute permission in a SharePoint site i.e. you can add content to libraries but not create any new libraries or make changes to the structure of existing libraries. What I wanted was a permission object for the application on the site to have FullControl and be able to do everything in the site i.e. create, read, update and delete.
When a app has Sites.Selected Full Control permission it is possible to add a new list etc and have permissions the same as SharePoint Full Control permission level.
Guide: How to add an Azure AD app with SharePoint Sites.Selected permission to sites with Full Control
I will now show you below with a script how you can assign an existing Azure AD App (to create a new Azure AD App use Register-PnPAzureADApp) with SharePoint Sites.Selected permissions to a Site with Full Control using PnP PowerShell. The same approach could be used for Microsoft Graph Sites.Selected permissions also except line 22 (New-PnPList) will not work as most PnP PowerShell cmdlets use CSOM behind the scenes and not Microsoft Graph. So you will then need to use Microsoft Graph calls for administering SharePoint rather then PnP cmdlets.
The trick with the script below is that in Microsoft Graph it is not currently possible to create a permission object in a site with Full Control permissions – only Read & Write. So you first have to create a permission object to a Site with Read/Write Permissions using Grant-PnPAzureADAppSitePermission (line 12). Next get the Permission ID of the permission object just created by using Get-PnPAzureADAppSitePermission (line 15). Then use Set-PnPAzureADAppSitePermission to upgrade the permission object from Read/Write permissions to FullControl (line 18).
Finally connect using your SharePoint Sites.Selected app (line 21) and test that full control permissions have been applied by creating a new list in the site (line 24).
I hope this is helpful for some people – I’m not sure if this is by design (don’t think so) or a bug in MS Graph that needs to be fixed to allow permission objects to be created with Full Control rather than just Read/Write. Hopefully it will be sorted soon – in the meantime the script above will help me with the workaround and hopefully others with Sites.Selected permissions for Full Control.
Let me know if you have any thoughts or comments if you found this helpful?