Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph

SharePoint team

One very frequent request we’ve heard over the last couple years is to allow for more granular permissions when it comes to accessing SharePoint with an application.  Historically we’ve allowed you to select several levels of access but all at the tenant scope.

We are extremely excited to introduce the first step in providing more flexibility in how you control the access that your Microsoft Graph applications can have when working with SharePoint.  This is part of an overall longer-term effort to create a complete feature set that supports different needs for different customers.  We believe in solutions that will ultimately unify access management for applications across Microsoft 365.

This first step targets a specific scenario that we have gotten feedback on, namely, enabling Enterprise built applications to access specific known site collections rather than all site collections. This solution is very developer focused and requires engagement from both the application developer and an administrative team comfortable with using the Microsoft Graph API for management.

The feature itself is straightforward. A new permission is available for applications under the Microsoft Graph Sites set of permissions named Sites.Selected. Choosing this permission for your application instead of one of the other permissions will, by default, result in your application not having access to any SharePoint site collections.

Sites.selected permission in Azure AD


To grant permission for the application to a given site collection, the administrator will make use of the newly introduced site permissions endpoint. Using this endpoint, the administrator can grant Read, Write, or Read and Write permissions to an application.  Along with Sites.Selected this will result in only those sites that have had permission granted being accessible.

For example, if I wanted to grant the Foo application write permission to a single site collection, I would make this call:


Content-Type: application/json


  "roles": ["write"],

  "grantedToIdentities": [{

    "application": {

      "id": "89ea5c94-7736-4e25-95ad-3fa95f62b66e",

      "displayName": "Foo App"




For more detailed information about using the API please see the Microsoft Graph documentation.

See also following demo by Jeremy Kelley (Microsoft) from a recent Microsoft Graph community call for the additional details.

Over time we will continue to work with the Azure and Microsoft Graph teams to add additional capabilities and support more scenarios.

“Sharing is caring”

SharePoint Team, Microsoft – 11th of February 2021

Feedback usabilla icon