Azure App Permissions – Microsoft Graph – Now its possible to set permissions for selected sites only

Azure App Permissions - Microsoft Graph - Now it possible to set permissions for selected sites only
Azure App Permissions - Microsoft Graph - Now it possible to set permissions for selected sites only

Hi All,

Greetings for the day 🙂 LIFE IS BEAUTIFUL 🙂 I hope we all are safe 🙂 STAY SAFE, STAY HEALTHY 🙂

Background :

  • We all know Microsoft Graph APIs are security trimmed APIs
  • This means we need to have register Azure App and need to give permissions to Microsoft Graph APIs for Azure APP for respective resources (for ex – SharePoint)

Previously concern / issue while giving permissions to Microsoft Graph API for SharePoint is : There is no option available for giving permission to Microsoft Graph APIs for Azure App to SharePoint for specific site collection. We need to give permissions for whole tenant (tenant scope) as

Azure App Permissions => Microsoft Graph API permissions for SharePoint sites
Fig : Azure App Permissions => Microsoft Graph API permissions for SharePoint sites

Updates from Microsoft :

  • Now it is possible to give the permissions for Microsoft Graph APIs to Azure App for selected SharePoint sites. This is more granular approach
  • This means – Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph
  • New permission is available for Azure Apps under the Microsoft Graph Sites set of permissions named Sites.Selected.
  • In “Request API Permissions” pane there is option available now for Selected Sites as
Azure App Permissions => Microsoft Graph API permissions for SharePoint sites => Now it is possible for giving permissions for selected site rather whole tenant
Fig : Azure App Permissions => Microsoft Graph API permissions for SharePoint sites => Now it is possible for giving permissions for selected site rather whole tenant
  • But then billion $ question is 🙂 – how to configure permissions for Microsoft Graph to Azure App for selected sites only ?
  • There are multiple approaches as follows

How to set the permissions to Microsoft Graph APIs to Azure App for selected SharePoint sites:

POST https://graph.microsoft.com/v1.0/sites/{siteId}/permissions

Content-Type: application/json
{
  "roles": ["write"],
  "grantedToIdentities": [{
    "application": {
      "id": "b72525db-885f-487c-a166-a7d13575af3b",
      "displayName": "Knowledge Junction"
    }
  }]
}
  • Using CSOM console application / Azure WebJob :
GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var permission = new Permission
{
	Roles = new List<String>()
	{
		"write"
	},
	GrantedToIdentities = new List<IdentitySet>()
	{
		new IdentitySet
		{
		Application = new Identity
		{
		Id = "b72525db-885f-487c-a166-a7d13575af3b",
		DisplayName = "Knowledge Junction"
			}
		}
	}
};

await graphClient.Sites["{sitesId}"].Permissions
	.Request()
	.AddAsync(permission);

I’ll stop here 🙂 We have very good series / articles on Microsoft Graph APIs, please have a look once – https://knowledge-junction.com/?s=Microsoft+Graph

References:

Thanks for reading  🙂 Feel free to discuss / comments / questions 🙂 SHARING IS CARING 🙂

Share In Teams:

Enjoy the beautiful life 🙂 Have a FUN 🙂 HAVE A SAFE LIFE 🙂 TAKE CARE 🙂

Prasham Sabadra

LIFE IS VERY BEAUTIFUL :) ENJOY THE WHOLE JOURNEY :) Founder of Knowledge Junction and live-beautiful-life.com, Author, Learner, Passionate Techie, avid reader. Certified Professional Workshop Facilitator / Public Speaker. Scrum Foundation Professional certificated. Motivational, Behavioral , Technical speaker. Speaks in various events including SharePoint Saturdays, Boot camps, Collages / Schools, local chapter. Can reach me for Microsoft 365, Azure, DevOps, SharePoint, Teams, Power Platform, JavaScript.

You may also like...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: