How to limit a service principal in AzureAD with graph API to only a certain site collection in SharePoint Online?

Question

Hi there
How to limit a service principal in AzureAD with graph API to only a certain site collection in SharePoint Online?
Thanks.

Answer 1

Hi @frob ,

According to my research and testing, you can choose the permission ** Sites.Selected ** for your application instead of one of the other permissions, by default, result in your application not having access to any SharePoint site collections.

Then administrators can grant permissions to an application, such as "Read", "Write", or "Read and Write" permissions. Along with Sites.Selected this will result in only those sites that have had permission granted being accessible.

For example, if I wanted to grant the "My demo application" application write permission to a single site collection, you can use the following calls:

POST https://graph.microsoft.com/v1.0/sites/{siteId}/permissions

Content-Type: application/json

Body:

{  
    "roles": [  
        "write"  
    ],  
    "grantedToIdentities": [  
        {  
            "application": {  
                "id": "Application (client) ID",  
                "displayName": "My demo application"  
            }  
        }  
    ]  
}  

More information for reference: Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph

Hope it can help you. Thanks for your understanding.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

---