Restrict Azure Application to have access only to one specific SharePoint List

Question

Hello,

I am trying to restrict the access of an Azure Application to one specific SharePoint list from one specific SharePoint site.

I have an Azure Application which has Application permissions for Sites.Selected and the new Lists.SelectedOperations.Selected permission.

Then I followed the instructions provided here:

https://learn.microsoft.com/en-us/graph/permissions-selected-overview?tabs=http

I sent the following request with an authentication token retrieved with the CLIENT_ID, TENANT_ID and CLIENT_SECRET from the Azure App.

POST https://graph.microsoft.com/beta/sites/{siteId}/lists/{listId}/permissions
Content-Type: application/json

{
  "roles": ["read"],
  "grantedTo": {
    "application": {
      "id": "{appId}"
     }
  }
}

This request returns status code 201 and says that the permission is created, but when I check using

GET https://graph.microsoft.com/beta/sites/{siteId}/lists/{listId}/permissions

the new permission is not saved there. Moreover, even though I have the Lists.SelectedOperations.Selected permission, I have access to all the lists in specific Site.

I am not sure whether there is something that I am doing wrong, or I am missing some steps in the process.

Any help is appreciated.

Thank you!

Answer 1

Afaik Microsoft is still in the process of rolling out this functionality, so not everything works currently. Wait for the official announcement/blog post.