When choosing custom AppAccess, you can limit the scope of access to Sharepoint by using the Sites.Selected privilege. Sites.Selected does not grant any privileges on its own, but allows you to manually define the access for the app.
Note: Without privileges, an app with Sites.Selected cannot logon to Sharepoint.
Granting privileges via PowerShell
To grant privileges, you will first need to enter the following line of code in order to allow PowerShell to communicate with SharePoint:
Then, you will need to enter the next line of code to connect PowerShell to your SharePoint, replacing <YourSharepoint> with your SharePoint URL.
Connect-PnPOnline -Url <YourSharepoint> -Interactive
Once entered, you will need to grant PowerShell permission via a connection dialog. This will allow PowerShell to manage Sharepoint.
After PowerShell has been permitted to connect, you can grant permissions for your app through the following line of code (replacing any tags with brackets with your own values):
Grant-PnPAzureADAppSitePermission -AppId <AppId> -DisplayName <AppDisplayName> -Site <YourSharepoint> -Permissions <Permission>
The possible permissions that can be granted by replacing the <Permission> tag are as follows:
- Write – Save to Sharepoint, but cannot create OnBehalfOfColumn to reflect the user initiating the save
- Manage – Save to Sharepoint and create OnBehalfOfColumn to reflect the user initiating the save
To revoke privileges, you can use the following code:
Revoke-PnPAzureADAppSitePermission -PermissionId <Id>
Note: Revoke does not prompt any error if the specified Id does not exist. Always verify if the privileges are as desired by checking the granted privileges.
Check granted privileges
To check privileges, you can use the following code:
Get-PnPAzureADAppSitePermission -AppIdentity <AppId>
That’s it! We appreciate your feedback! Please share your thoughts by sending an email to firstname.lastname@example.org.