The Power Architect

Azure App Registration for Select SharePoint Sites

June 27, 2024325 words

This post explains how to create an Azure App Registration and configure it to provide your application access to only select SharePoint sites.

The Azure App Registration provides your application the permissions it needs to various sources, in this example, SharePoint. This eliminates the need to run your application using a user account.

In this specific example, rather than giving full control to all of SharePoint, we want our app to only have access to select SharePoint sites. We can use PowerShell to set exactly which sites we want the application to have permissions to.

Create the App Registration in Azure

Follow the following steps to create an Azure App Registration using a self-signed certificate.

  • First, create a [[Create a self-signed Certificate using PowerShell]].
  • Save the .cer and .pfx files and the information used to create the certificate.
  • Create an Azure App Registration from Azure AD.
    • Search for App Registrations, then click on the App Registrations result.
    • Click New Registration.
    • Enter a user-friendly name.
    • Select your Account types.
    • Click Register.
  • Select Certificates & Secrets in the left menu.
  • Upload the .cer file created earlier.
  • Select API Permissions.
  • Select Add a permission.
  • Select SharePoint.
  • Select Application permissions.
  • Select Sites.Selected.
  • Click the Add Permissions button to save.
  • As an administrator, click the Grant admin consent for {Your Organization}.
  • Click Yes to confirm.

Next, you'll use the PowerShell below to set which SharePoint sites the App Registration is allowed to access.

Grant permissions to select sites using PowerShell

$targetSiteUrl = {sharepoint site url}
Connect-PnPOnline $targetSiteUrl -Interactive
Grant-PnPAzureADAppSitePermission -AppId {app (client) id} -DisplayName {app display name} -Site $targetSiteUrl -Permissions Write

Get site permission for a selected site

Get-PnPAzureADAppSitePermission -Site $targetSiteUrl

Revoke Permission via PowerShell

$targetSiteUrl = '{sharepoint site url}'
Connect-PnPOnline $targetSiteUrl -Interactive
Revoke-PnPAzureADAppSitePermission -PermissionId '{permissionid}' -Site $targetSiteUrl -Force

Get-PnPAzureADAppSitePermission -Site $targetSiteUrl
React to this post
👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

You'll only receive email when they publish something new.

More from The Power Architect
All posts