Limiting access to SharePoint for custom app access using Sites.Selected

4960 views 2 Updated on May 7, 2025

Limiting access to SharePoint for custom app access using Sites.Selected can be used, When choosing custom AppAccess, you can limit the scope of access to Sharepoint by using the Sites.Selected privilege. The Sites.Selected does not grant any privileges on its own, but allows you to manually define the access for the app.

The step-by-step guide on limiting access to SharePoint for custom app access using Sites.Selected.

Note: Without privileges, an app with Sites.Selected cannot logon to Sharepoint.

Granting privileges via PowerShell

Limiting the scope of access to SharePoint using Sites.Selected
Figure 1: An example screenshot of PowerShell

To grant privileges, you will first need to enter the following line of code in order to allow PowerShell to communicate with SharePoint:

Import-Module PnP.PowerShell

Then, you will need to enter the next line of code to connect PowerShell to your SharePoint, replacing <YourSharepoint> with your SharePoint URL.

Connect-PnPOnline -Url <YourSharepoint> -Interactive

Once entered, you will need to grant PowerShell permission via a connection dialog. This will allow PowerShell to manage Sharepoint.

Limiting the scope of access to SharePoint using Sites.Selected
Figure 2: A portion of the permissions dialog

After PowerShell has been permitted to connect, you can grant permissions for your app through the following line of code (replacing any tags with brackets with your own values): 

Grant-PnPAzureADAppSitePermission -AppId <AppId> -DisplayName <AppDisplayName> -Site <YourSharepoint> -Permissions <Permission>

The possible permissions that can be granted by replacing the <Permission> tag are as follows:

  • Read
  • Write – Save to Sharepoint, but cannot create OnBehalfOfColumn to reflect the user initiating the save
  • Manage – Save to Sharepoint and create OnBehalfOfColumn to reflect the user initiating the save
  • FullControl

Alternative: Using Microsoft Graph PowerShell SDK

In some environments, the PnP.PowerShell module may not work reliably. As an alternative, you can use the Microsoft Graph PowerShell SDK to grant Sites.Selected access programmatically by following these steps: 

Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "Sites.FullControl.All"

$Site = Get-MgSite "yourtenant.sharepoint.com:/sites/testsite1:/"

$Application = @{
    id = "<AppId>"
    displayName = "<AppDisplayName>"
}

$Status = New-MgSitePermission -SiteId $Site.Id `
    -Roles "write" `
    -GrantedToIdentities @{"application" = $Application}

Note:

  • The “:” need to enclose he full site definition when using “Get-MgSite
  • The grantable permissions are outlined above

Revoke privilege

To revoke privileges, you can use the following code:

Revoke-PnPAzureADAppSitePermission -PermissionId <Id>

Note: Revoke does not prompt any error if the specified Id does not exist. Always verify if the privileges are as desired by checking the granted privileges.

Check granted privileges

To check privileges, you can use the following code:

Get-PnPAzureADAppSitePermission -AppIdentity <AppId>

That’s it! We appreciate your feedback! Please share your thoughts by sending an email to support@mscrm-addons.com.

Tags:

Was this helpful?

 
Related Articles