Service principal access to sharepoint online

Question

Hello

I have created a service principal in Entra and this will be used by power automate or ADF to connect to a particular sharepoint online site to read and copy files from the sharepoint online.

Could you please tell me what permissions are required :

1. What all API permission in Entra is required so that access is granted to only one particular sharepoint site ?
2. Please provide the detailed steps. Should I use delegated or application permission in the API permission in Entra ?
3. Can we do this via portal and also via powershell command and how ? I have already created the service principal.

Thanks!

Answer 1

Hi @Sourav,

As a SharePoint engineer, below is my suggestion:

1. API Permissions in Entra:
   • You should use Sites.Selected permission instead of Sites.Read.All or Sites.ReadWrite.All. The Sites.Selected permission allows you to grant access to specific sites rather than all sites in the tenant.
2. Delegated vs. Application Permissions:
   • For this scenario, you should use Application permissions. Application permissions are used when the app runs without a signed-in user, which is typical for background services like Power Automate or Azure Data Factory.
3. Two methods:

Via Portal

1. Add API Permissions:
   • Go to API permissions > Add a permission > Microsoft Graph > Application permissions.
   • Select Sites.Selected and click Add permissions.
   • Grant admin consent for the permissions.
2. Grant Access to Specific SharePoint Site:
   • Navigate to the SharePoint site where you need to grant access.
   • Open the site with the URL format: https://[your_site_url]/_layouts/15/appinv.aspx.
   • Enter the Client ID (Service Principal ID) for your application and click Lookup.
   • Set the permissions in the AppInv page to grant the necessary access.

Via PowerShell

Install SharePoint Online Management Shell:

• Install SharePoint Online Management Shell:
  • Install the SharePoint Online Management Shell if you haven't already.
  • Connect to SharePoint Online:

    Connect-SPOService -Url https://[your-tenant]-admin.sharepoint.com
  

• Grant Access to the Service Principal:

    $appId = "your-app-id"
    $siteUrl = "https://[your-site-url]"
    $permission = "Read"
    $app = Get-SPOAppPrincipal -Site $siteUrl -AppId $appId
    Set-SPOAppPrincipalPermission -Site $siteUrl -AppPrincipal $app -Scope Site -Right       $permission
  

Reference:

Microsoft Graph Permissions Reference

Good day!

---

If the answer is helpful, please click "Accept as Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hello Sourav,

To connect a service principal to a specific SharePoint Online site and allow it to read/copy files, follow these steps:

• API Permissions in Entra ID
  Go to Azure Active Directory > App registrations > select your service principal > API permissions. Add the following Microsoft Graph permissions with Application access:
  • Sites.Read.All: General read access across SharePoint.
  • Sites.Selected: Allows limiting access to specific sites.
    Grant admin consent for these permissions.
• Grant Access to a Specific SharePoint Site
  Use PowerShell to assign site-level access with Sites.Selected:
  1. Install SharePoint Online Management Shell:

          Install-Module -Name Microsoft.Online.SharePoint.PowerShell
     

  2. Connect to SharePoint Online:

          Connect-SPOService -Url https://[your-tenant-name]-admin.sharepoint.com
     

  3. Grant access to the site:

          Grant-SPOSiteDesignRights -Identity "[Site URL]" -Principals "[App ID]" -Rights View
     

References

• Microsoft Graph Permissions Reference
• Install and Use SharePoint Online Management Shell

If the information helped address your question, please Accept the answer.

Luis