Service principal access to sharepoint online

Sourav 115 Reputation points
2024-11-07T20:22:24.9333333+00:00

Hello

I have created a service principal in Entra and this will be used by power automate or ADF to connect to a particular sharepoint online site to read and copy files from the sharepoint online.

Could you please tell me what permissions are required :

  1. What all API permission in Entra is required so that access is granted to only one particular sharepoint site ?
  2. Please provide the detailed steps. Should I use delegated or application permission in the API permission in Entra ?
  3. Can we do this via portal and also via powershell command and how ? I have already created the service principal.

Thanks!

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,939 questions
Not Monitored
Not Monitored
Tag not monitored by Microsoft.
40,215 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Luis Arias 7,686 Reputation points
    2024-11-07T21:05:42.4733333+00:00

    Hello Sourav,

    To connect a service principal to a specific SharePoint Online site and allow it to read/copy files, follow these steps:

    • API Permissions in Entra ID
      Go to Azure Active Directory > App registrations > select your service principal > API permissions. Add the following Microsoft Graph permissions with Application access:
      • Sites.Read.All: General read access across SharePoint.
      • Sites.Selected: Allows limiting access to specific sites.
        Grant admin consent for these permissions.
    • Grant Access to a Specific SharePoint Site
      Use PowerShell to assign site-level access with Sites.Selected:
      1. Install SharePoint Online Management Shell:
             Install-Module -Name Microsoft.Online.SharePoint.PowerShell
        
      2. Connect to SharePoint Online:
             Connect-SPOService -Url https://[your-tenant-name]-admin.sharepoint.com
        
      3. Grant access to the site:
             Grant-SPOSiteDesignRights -Identity "[Site URL]" -Principals "[App ID]" -Rights View
        

    References

    If the information helped address your question, please Accept the answer.

    Luis


  2. Yanli Jiang - MSFT 27,641 Reputation points Microsoft Vendor
    2024-11-12T08:18:10.5666667+00:00

    Hi @Sourav,

    As a SharePoint engineer, below is my suggestion:

    1. API Permissions in Entra:
      • You should use Sites.Selected permission instead of Sites.Read.All or Sites.ReadWrite.All. The Sites.Selected permission allows you to grant access to specific sites rather than all sites in the tenant.
    2. Delegated vs. Application Permissions:
      • For this scenario, you should use Application permissions. Application permissions are used when the app runs without a signed-in user, which is typical for background services like Power Automate or Azure Data Factory.
    3. Two methods:

    Via Portal

    1. Add API Permissions:
      • Go to API permissions > Add a permission > Microsoft Graph > Application permissions.
      • Select Sites.Selected and click Add permissions.
      • Grant admin consent for the permissions.
    2. Grant Access to Specific SharePoint Site:
      • Navigate to the SharePoint site where you need to grant access.
      • Open the site with the URL format: https://[your_site_url]/_layouts/15/appinv.aspx.
      • Enter the Client ID (Service Principal ID) for your application and click Lookup.
      • Set the permissions in the AppInv page to grant the necessary access.

    Via PowerShell

    Install SharePoint Online Management Shell:

    • Install SharePoint Online Management Shell:
      • Install the SharePoint Online Management Shell if you haven't already.
      • Connect to SharePoint Online:
        Connect-SPOService -Url https://[your-tenant]-admin.sharepoint.com
      
    • Grant Access to the Service Principal:
        $appId = "your-app-id"
        $siteUrl = "https://[your-site-url]"
        $permission = "Read"
        $app = Get-SPOAppPrincipal -Site $siteUrl -AppId $appId
        Set-SPOAppPrincipalPermission -Site $siteUrl -AppPrincipal $app -Scope Site -Right       $permission
      

    Reference:

    Microsoft Graph Permissions Reference

    Good day!


    If the answer is helpful, please click "Accept as Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.