When building SharePoint apps, one of the key considerations is ensuring your app has the right level of access to perform its tasks—no more, no less. Over-permissioning can lead to security risks, while under-permissioning can hinder functionality. Fortunately, SharePoint offers granular permission settings like Site.Selected and Lists.SelectedOperations.Selected, allowing developers to scope permissions to a specific site or list in SharePoint. In this post, I’ll explain how to configure these permissions effectively.
If you don’t know how to create an app registration this blogpost covers how to do so. After creation go to API permissions, select Graph – application permissions – and Site.Selected or Lists.SelectedOperations.Selected
Get site ID
First you need to get the full site-id, this is combination of your sharepoint domain, web-id, and site-id. The quickest way to get it is to use Graph Explorer and do a GET request to the following endpoint:
https://graph.microsoft.com/v1.0/sites/{YOUR_DOMAIN}.sharepoint.com:/sites/{NAME_OF_SITE}/
This will give you back a respons like this, you should copy the whole id listed in id. {your_domain}.sharepoint.com,{some-guid},{some-other-guid}
{
#.... (shortend for readability)
"description": "DMO-site",
"id": "YOURDOMAIN.sharepoint.com,26192b3a-c1b9-4849-9f80-bfc66c12345a,159b904f-9880-481e-ac3f-12345da331f9",
"lastModifiedDateTime": "2024-12-17T11:35:08Z",
"name": "DMO-site",
"webUrl": "https://YOURDOMAIN.sharepoint.com/sites/DMO-site",
# ....
}
When you have the site ID you are ready to set the permissions you want.
Give granular permissions to a site (Site.selected)
Note, to be allowed to set these permissions you need to be logged in with a user (or app) that has admin privileges, its not enough to just be an owner of the SharePoint Site. If using Graph Explorer open the permission tab and give it Sites.FullControl.All.
Another way to grant permissions to your site collection is by using PnP PowerShell, which provides a straightforward approach for managing permissions. However, I typically prefer using Microsoft Graph for this task so thats what I’ll cover in this blogpost.
Using the ID you got in the previous step make a POST request to the graph endpoint:
https://graph.microsoft.com/v1.0/sites/{site-id}/permissions
With this json in the body of your request:
{
"roles": [
"write"
],
"grantedToIdentities": [
{
"application": {
"id": "YOUR_APP_REG_ID",
"displayName": "YOUR_APP_REG_NAME"
}
}
]
}
And thats it, your app-registration now have writing permissions to your selected site.
Give permissions to list (List.SelectedOperations.Selected)
Granting your app granular permissions at the list level is a relatively new capability in SharePoint development so you’ll need to use Microsoft Graph’s beta endpoint to configure it. Below is an example of how to make POST request.
https://graph.microsoft.com/beta/sites/{site-id}/lists/{list-id}/permissions
Note that the body of this request is slightly different to the one used on a site leve.
{
"roles": ["write"],
"grantedTo": {
"application": {
"id": "YOUR_APP_REG_ID"
}
}
}
Summary
Setting up the right permissions for your SharePoint app is key to keeping things secure and working smoothly. In this post, we covered how to give your app more specific permissions, like limiting access to a single site with Site.Selected or a specific list with List.SelectedOperations.Selected. We also covered how to use Microsoft Graph’s beta endpoint to set these permissions.
Resources
- Develop applications that use Site.Selected permissions for SPO sites (blogpost from MS tech community)
- PnP-powershell Grant-PnPAzureADAppSitePermission
- Selected permissions in OneDrive and SharePoint (Micosoft docs)
If you are interested in Microsoft 365 Development you might also like my other blogposts in this category.
Also, if you have any feedback or questions, please let me know in the comments below. 🙂
Thank you for reading, and happy coding!
/Eli
If you want to support my content you can