Graph API - Delegated permissions for Sites.Selected

Question

I am familiar with the Sites.Selected application permissions, but I don't think it fits my usecase.

I have an app on which I want to be able to impersonate users in a tenant, using the necessary delegated permissions works great for this.
However, I would like to restrict the app access to specific sites, as some sites that a logged in user has access to might have confidential information. Is there a way to do this currently?
I would imagine that delegated Sites.Selected permissions would be the way, but from what I could find in the two blog posts (controlling-app-access-on-specific-sharepoint-site-collections and updates-on-controlling-app-specific-access-on-specific-sharepoint-sites-sites-selected), this is not (yet?) possible.

So, are there concrete plans to support this? If so, when is this planned?
And for the time being, would there be another solution to this problem? It could be my approach is just wrong, so any ideas are welcome.

Thanks!

Answer 1

Hello,

I found this, i think is answer to your questions.
https://techwizard.cloud/2022/03/20/sharepoint-and-graph-api-app-only-permissions-for-selected-sites/

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Answer 2

If the logged on user already has rights to the sites, then limiting the sites they can access authenticating through the Azure App wont do any good since they can get to them anyway outside of the app.
The Sites.Selected. permission is designed for application access , not for a delegated user.
In this case, I would recommend you remove the permissions from any site this user should not have access to.