{"id":5961,"date":"2021-02-11T05:36:10","date_gmt":"2021-02-11T13:36:10","guid":{"rendered":"https:\/\/officedevblogs.wpengine.com\/?p=5961"},"modified":"2021-11-17T12:39:51","modified_gmt":"2021-11-17T20:39:51","slug":"controlling-app-access-on-specific-sharepoint-site-collections","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/controlling-app-access-on-specific-sharepoint-site-collections\/","title":{"rendered":"Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph"},"content":{"rendered":"

One very frequent request we\u2019ve heard over the last couple years is to allow for more granular permissions when it comes to accessing SharePoint with an application.\u00a0 Historically we\u2019ve allowed you to select several levels of access but all at the tenant scope.<\/p>\n

We are extremely excited to introduce the first step in providing more flexibility in how you control the access that your Microsoft Graph applications can have when working with SharePoint.\u00a0 This is part of an overall longer-term effort to create a complete feature set that supports different needs for different customers.\u00a0 We believe in solutions that will ultimately unify access management for applications across Microsoft 365.<\/p>\n

This first step targets a specific scenario that we have gotten feedback on, namely, enabling Enterprise built applications to access specific known site collections rather than all site collections. This solution is very developer focused and requires engagement from both the application developer and an administrative team comfortable with using the Microsoft Graph API for management.<\/p>\n

The feature itself is straightforward. A new permission is available for applications under the Microsoft Graph Sites set of permissions named Sites.Selected<\/em><\/strong>. Choosing this permission for your application instead of one of the other permissions will, by default, result in your application not having access to any SharePoint site collections.<\/p>\n

\"Sites.selected<\/p>\n

 <\/p>\n

To grant permission for the application to a given site collection, the administrator will make use of the newly introduced site permissions endpoint. Using this endpoint, the administrator can grant Read, Write, or Read and Write permissions to an application.\u00a0 Along with Sites.Selected<\/em><\/strong> this will result in only those sites that have had permission granted being accessible.<\/p>\n

For example, if I wanted to grant the Foo application write permission to a single site collection, I would make this call:<\/p>\n

POST https:\/\/graph.microsoft.com\/v1.0\/sites\/{siteId}\/permissions\n\nContent-Type: application\/json\n\n{\n\n\u00a0 \"roles\": [\"write\"],\n\n\u00a0 \"grantedToIdentities\": [{\n\n\u00a0\u00a0\u00a0 \"application\": {\n\n\u00a0\u00a0\u00a0\u00a0\u00a0 \"id\": \"89ea5c94-7736-4e25-95ad-3fa95f62b66e\",\n\n\u00a0\u00a0\u00a0\u00a0\u00a0 \"displayName\": \"Foo App\"\n\n\u00a0\u00a0\u00a0 }\n\n\u00a0 }]\n\n}<\/pre>\n
For more detailed information about using the API please see the Microsoft Graph documentation<\/a>.<\/p>\n
See also following demo by Jeremy Kelley<\/a> (Microsoft) from a recent Microsoft Graph community call for the additional details.<\/p>\n