1.You need both Sites.Selected and Sites.FullControl.All to grant access for a specific site collection.
Sites.Selected is an endpoint which allows administrator to grant Read, Write, ReadWrite, FullControl and so on permissions for an application’s access to be limited to a specific site collection.
So, first develop application with Sites.Selected permission, then use Sites.Selected endpoint to grant FullControl permission for an application’s access to a specific site collection.
2.After granting FullControl permission for an application’s access to a specific site collection, you could use below Graph API to grant write permission for a folder.
(1)Get drive id.
GET https://graph.microsoft.com/v1.0/sites/{site-id}/drives
(2)Get folder id
GET https://graph.microsoft.com/v1.0/sites/{site-id}/drives/{drive-id}/root/children
(3)Grant access
POST https://graph.microsoft.com/v1.0/sites/{site-id}/drives/{drive-id}/items/{folder-id}/invite
Content-type: application/json
{
"recipients": [
{
"email": "user@tenant.OnMicrosoft.com"
}
],
"message": "Here's the file that we're collaborating on.",
"requireSignIn": true,
"sendInvitation": true,
"roles": [ "write" ],
"password": "password123",
"expirationDateTime": "2024-12-05T14:00:00.000Z"
}
Reference:
https://learn.microsoft.com/en-us/graph/api/driveitem-invite?view=graph-rest-1.0&tabs=http
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.