how to grant permission to Azure Managed Identity to SharePoint online Site?

Question

how to grant permission to Azure Managed Identity to SharePoint online Site?

mahesh kandharkar 15

how to grant permission to Azure "Managed Identity" to SharePoint online Site?

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

1 answer

Your answer

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 1

Sedat SALMAN 14,180 MVP

To grant permissions to a SharePoint Online site for an Azure Managed Identity, you'll need to create an Azure AD App Registration for your Managed Identity and grant the necessary permissions to that app in SharePoint Online

Create an App Registration in Azure AD
- Azure Active Directory > App registrations
- New registration > Note the "Application (client) ID" and "Directory (tenant) ID" values
Assign the necessary permissions to the App Registration in SharePoint Online
- SharePoint Online site. > Site permissions > Advanced permissions settings
- Grant permissions > Select Users > client_id@tenant_id
Configure your Azure service to use the App Registration
- In your Azure service, update the configuration to use the App Registration's "Application (client) ID" and "Directory (tenant) ID" for authentication with SharePoint Online.
- Use the SharePoint Online REST API or the Microsoft Graph API to access SharePoint Online resources, authenticating with the App Registration's credentials.

mahesh kandharkar 15 Reputation points

2023-04-06T10:44:17.95+00:00

Thanks for the reply Salman, Is there any other way to grant permission to Azure Managed Identity on specific SharePoint online site? can you please clarify little more on granting permission for Managed identity in above steps.
Sedat SALMAN 14,180 Reputation points MVP

2023-04-09T19:07:02.2766667+00:00
Hi Mahesh, Sure, I can provide more clarification on granting permission to an Azure Managed Identity on a specific SharePoint Online site. Firstly, you need to create an Azure AD App Registration for your Managed Identity. Follow these steps:

Go to the Azure Active Directory portal and navigate to "App Registrations"

Click on "New Registration" and provide a name for your app

Select "Accounts in this organizational directory only (default directory only - Single tenant)" as the supported account type

Leave the "Redirect URI" field blank

Click on "Register" to create the app registration

Note down the "Application (client) ID" and "Directory (tenant) ID" values

Next, you need to grant the necessary permissions to the App Registration in SharePoint Online. Follow these steps:

Go to the SharePoint Online site where you want to grant permissions to the Managed Identity

Navigate to "Site permissions" and click on "Advanced permissions settings"

Click on "Grant Permissions" and select "Enter the object names to select" option

Enter the "Application (client) ID" of the app registration you created earlier and click on "Check Names"

Select the appropriate permission level and click on "OK"

Finally, you need to configure your Azure service to use the App Registration. Follow these steps:

In your Azure service, update the configuration to use the App Registration's "Application (client) ID" and "Directory (tenant) ID" for authentication with SharePoint Online.

Use the SharePoint Online REST API or the Microsoft Graph API to access SharePoint Online resources, authenticating with the App Registration's credentials.

Hope this helps! Let me know if you have any further questions.
mahesh kandharkar 15 Reputation points

2023-04-10T01:44:54.23+00:00

Thanks Salman, I have "User-assigned managed identity" for which i need to grant read/write access to specific SharePoint online site, whether same process I need to follow from above provided steps except the app registration. Could you please suggest for the same?
mahesh kandharkar 15 Reputation points

2023-04-10T02:24:02.6966667+00:00
Hello Salman, I have followed below steps to grant access "User-assigned managed identity" on SharePoint online site please let me know whether this is correct way?

Created "User Assigned managed identity"

Copied objact id from managed identity.

Then I browse the SharePoint site from here "I created app from here site collection/_layouts/15/appinv.aspx""

pasted object id in the app and clicked on lookup and it displayed app domain title of managed identity and app domain

Granted manage permission using below "permission request XML"

<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Manage" /> </AppPermissionRequests>

I want to understand whether it is correct way and developer can extract/add/remove data from visual studio code using object and tenant id for "user assign managed identity" Please suggest, your help would be really appreciated or if you have any other way please let me know if it is not correct.
Peter Bollwerk 56 Reputation points

2023-06-29T23:03:49.22+00:00

@Sedat SALMAN is this possible at a folder level, or only at a site level?
Mark R 5 Reputation points

2023-08-17T03:51:13.26+00:00

I followed these instructions step by step. When I attempt to grant permissions to the managed identity using the client_id@tenant_id format it gives me an error below the input field that says "we couldn't find an exact match."

I also tried the method using Microsoft Graph detailed here: https://learningbydoing.cloud/blog/connecting-to-sharepoint-online-using-managed-identity-with-granular-access-permissions/

Everything appears to work when I run the New-MgSitePermission command, the "write" role appears to be applied. However, when I check it using the Get-MgSitePermission command the "write" role is no longer applied. No error messages, it just doesn't work. I'm running all these commands as a Global Administrator.

I've even attempted the method of navigating to the _layouts/15/appinv.aspx site to grant the App ID permissions. It recognized the Managed Identity and the permissions I want to grant (as specified in XML), and appears to successfully grant permissions. But when I verify if the permissions are granted they aren't there. No error messages, it just doesn't work.

Every method I attempt does not work. What am I missing? How do I get this to work so I can assign permissions to an Entra ID managed identity?

Thank you!
Goodpasture Jared 0 Reputation points

2023-10-27T22:25:34.9266667+00:00

if you look under _layouts/15/appprincipals.aspx you should find it
Anonymous

2023-12-06T13:27:50.8633333+00:00

Hi Sedat,

I have created an app and am trying to grant permissions but got the error "We couldn't find an exact match".

May you please advise?

Thanks,

Max
Janne Kujanpää 256 Reputation points

2023-12-21T08:40:05.78+00:00

@Sedat SALMAN What does "you'll need to create an Azure AD App Registration for your Managed Identity" and "Use the SharePoint Online REST API or the Microsoft Graph API to access SharePoint Online resources, authenticating with the App Registration's credentials." mean if user wants to use MSI (to avoid extra set of credentials)?

Is there actual guidence how to use managed service identities directly without creating extra set of credentials?
Swetha Alampally 5 Reputation points

2024-06-14T09:36:55.7166667+00:00

Hi,

@Sedat SALMAN i am following the steps you mentioned above but i didn't find such option. please help.

I am trying to add app registration id, but there is no such option available.

Mike Crowley 216

@Swetha Alampally I'm not sure if you can add or view an application permission in the UI, but here is how to add/review with Graph:

set

$permissionAssignment = @{
    roles               = @("write")
    grantedToIdentities = @(
        @{
            application = @{
                id          = $Principal.value.AppId
                displayName = $Principal.value.displayname
            }
        }
    )
}

Invoke-MgGraphRequest -Uri "v1.0/sites/$($spoSite.id)/permissions" -Method POST -Body $permissionAssignment

view:

# Confirm the principal now has an access control entry for the on the site:
(Invoke-MgGraphRequest -Uri "v1.0/sites/$($spoSite.id)/permissions").value.grantedToIdentitiesV2

Share via

how to grant permission to Azure Managed Identity to SharePoint online Site?

1 answer

Your answer