sp-dev-docs icon indicating copy to clipboard operation
sp-dev-docs copied to clipboard

Published 20 hours ago verified publisher icon SharePoint

Granting permissions to subset of site collections using Sites.Selected permissions

Open remar27 opened this issue 2 years ago • 3 comments

What type of issue is this?

Question

What SharePoint development model, framework, SDK or API is this about?

SharePoint CSOM

Target SharePoint environment

SharePoint Online

What browser(s) / client(s) have you tested

  • [ ] 💥 Internet Explorer
  • [ ] 💥 Microsoft Edge
  • [ ] 💥 Google Chrome
  • [ ] 💥 FireFox
  • [ ] 💥 Safari
  • [ ] mobile (iOS/iPadOS)
  • [ ] mobile (Android)
  • [ ] not applicable
  • [ ] other (enter in the "Additional environment details" area below)

Additional environment details

  • browser version
  • SPFx version
  • Node.js version
  • etc

Issue description

Hello,

As recently announced, SharePoint Add-Ins will soon be retired, and starting from November 2024, new tenants will no longer be able to use SharePoint Add-Ins, regardless of their origin (public marketplace or private tenant catalog).

Our company has developed numerous provider-hosted SharePoint Add-Ins deployed across various organizations. We are currently exploring options to migrate these solutions to the Web App type registered in Azure Entra. The provider-hosted SharePoint Add-Ins currently utilize CSOM, making the migration path easiest through SharePoint API permissions. The required permissions are limited to accessing SharePoint data (such as AllSites.FullControl, AllSites.Manage, AllSites.Read...) and application permissions (Sites.FullControl.All, Sites.ManageAll, Sites.ReadAll, Sites.Selected).

However, permissions like AllSites.Read or Sites.ReadAll grant access to sensitive data that cannot be provided to our apps. Therefore, permissions like Sites.Selected would ideally suit our needs. Unfortunately, while attempting to use these permissions, we have found it challenging to control which sites are permitted access and to manage these permissions via the UI or admin center. The web app permission consent screen suggests configuration possibilities within SharePoint Online, but I believe this information is incorrect.

image

Could anyone confirm if there are current possibilities or future plans to implement UI-based management of SharePoint permissions for the Web App by admins? I'm aware of alternatives like the MS Graph API or PowerShell for granting and managing permissions. However, these methods might be cumbersome and won't allow for easy adoption of the web app without detailed instructions for admins on configuring SP permissions.

Thank you, Martin

remar27 avatar Nov 28 '23 09:11 remar27

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

ghost avatar Nov 28 '23 09:11 ghost

After further research, I discovered that you can assign permissions to the app for a particular site using the MS Graph API, but your app must have Sites.FullControl.All permissions (https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http). This requirement seems like too much overhead. Additionally, while you can develop a second web app for permission management that utilizes MS Graph and Sites.FullControl.All permissions, this approach seems absurd.

remar27 avatar Nov 28 '23 11:11 remar27

Great description @remar27.

I've recently got to a similar issue where I need to grant "Sites.FullControl.All" to my Generative AI platform Application ID in order to pull site group permissions when executing indexing of SharePoint sites. Our Cyber Security and Sharepoint teams did not like it for obvious reasons, and we had to escalate it internally to Microsoft.

Long story short, the only solution we found was to centralize the control of the Application ID to a specific team in our organization and construct an API wrapper around it to constraint our platform's actions to the SharePoint site through Graph API.

@nick-pape have we got any progress on this topic you could share with us or a suggestion for workaround? Thank you!

LuwkasLima avatar Oct 03 '24 18:10 LuwkasLima

@remar27, The Sites.Selected permission works as designed, but there's currently no UI support to manage it easily in the SharePoint or Microsoft 365 Admin Center. Admins are forced to use Graph API or PowerShell, which requires over-privileged permissions just to assign limited access — this creates unnecessary complexity and security concerns. This is not a bug but a feature request. You can officially submit a feature request here: https://feedbackportal.microsoft.com/feedback/forum/06735c62-321c-ec11-b6e7-0022481f8472

Ashlesha-MSFT avatar Jul 15 '25 11:07 Ashlesha-MSFT

@remar27, The Sites.Selected permission works as designed, but there's currently no UI support to manage it easily in the SharePoint or Microsoft 365 Admin Center. Admins are forced to use Graph API or PowerShell, which requires over-privileged permissions just to assign limited access — this creates unnecessary complexity and security concerns. This is not a bug but a feature request. You can officially submit a feature request here: https://feedbackportal.microsoft.com/feedback/forum/06735c62-321c-ec11-b6e7-0022481f8472

Hey @Ashlesha-MSFT - is it possible to use Graph API or PowerShell to assign permissions without an Azure Subscription? I want to use Sites.Selected and give an App permissions to one specific site collection. We use SharePoint, and a number of other Microsoft 365 apps, so we have access to the Azure Portal, however we don't have an Azure Subscription.

derekjavier avatar Oct 16 '25 12:10 derekjavier

@derekjavier, You can grant an app access to specific SharePoint sites via Sites.Selected by doing the following:

App Registration

  1. Go to https://entra.microsoft.com
  2. Register a new application
  3. Under API permissions, add:
  4. Sites.Selected (Application permission under Microsoft Graph)
  5. Grant admin consent

You can do this without an Azure subscription.

  1. Assign Permissions to Specific Sites

Once your app has Sites.Selected, it won’t have access to any sites by default. You must grant it access to specific site collections using either:

Option A: PowerShell (PnP.PowerShell)

Connect-PnPOnline -Url "https://yourtenant.sharepoint.com/sites/yoursite" -PnPManagementShell
Grant-PnPAzureADAppSitePermission -AppId "<app-id>" -DisplayName "<app-name>" -Permissions Write

Option B: Microsoft Graph API

Use:


POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions
Content-Type: application/json

{
  "roles": ["read", "write"],
  "grantedToIdentities": [
    {
      "application": {
        "id": "<app-id>",
        "displayName": "<app-name>"
      }
    }
  ]
}

Both options work without an Azure subscription.

Ashlesha-MSFT avatar Oct 17 '25 04:10 Ashlesha-MSFT

Based on Microsoft’s confirmation https://github.com/SharePoint/sp-dev-docs/issues/10432#issuecomment-3490793110 ), the Sites.Selected permission works as designed. It can only be granted at the site collection, list/library, or item/file levels — not at the subsite level.

Closing as “by design”

Ashlesha-MSFT avatar Nov 07 '25 10:11 Ashlesha-MSFT