.netazuresharepointmicrosoft-graph-apisharepoint-online

PnP Framework assign Permission to the SharePoint Using PowerCell


We have assign the App to the selected SharePoint Site by using PnP PowerShell and now pnp removed that support. Is there any other way we can assign permission to a particular user to access the selected SharePoint site? We have referred to the link below to assign permission using Powercell. https://medium.com/@sanghuynh_73086/how-to-access-sharepoint-site-using-microsoft-graph-08d20311c61c#:~:text=2.2.-,1.,Sharepoint%20Site%20(selected%20site)

We are fetching the client's SharePoint documents or files using the Graph API. To do this, we have followed these steps to retrieve documents from SharePoint:

Step 1:
Open PowerShell (recommended to use version >= 7.x to run code) in local. enter image description here

Step 2: If we haven’t PnP PowerShell locally, we are use the following command to install it:

### Install PnP PowerShell in local PowerShell:

Install-Module PnP.PowerShell -Scope CurrentUser
Install-Module SharePointPnPPowerShellOnline -Scope CurrentUser

Step 3: Connect Sharepoint Site Online:

### Connect Sharepoint Online:

$devAsiaP = "https://mydomain.sharepoint.com/sites/appname"
Connect-PnPOnline -Url $devAsiaP

Step 4: Verify connection:

### Verify connection:

Get-PnPSite

Step 5: Grant permission (Permissions Write) for the selected site.

### Grant permission for selected site:

Grant-PnPAzureADAppSitePermission -AppId "{client_id}" -DisplayName "{app_name}" -Permissions Write -Site https://mydomain.sharepoint.com/sites/appname

Step 6: Granted permission successfully:

enter image description here

After this step, the app has permission to control the selected Sharepoint Site.

Now, the problem is PnP doesn't provide to assign the permission(below-mentioned steps). and we are looking into an alternative solution.


Solution

  • To assign Permission to the SharePoint, you can also make use of Microsoft Graph API like below:

    Create two Microsoft Entra ID applications, one to assign site permission to the application and one more the application you want to assign permission.

    In the first application, grant Sites.FullControl.All application type API permission:

    enter image description here

    Grant Sites.Selected to the other application:

    enter image description here

    Now generate the access token using the first application (that is granted with Sites.FullControl.All) Api permission:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
    
    grant_type : client_credentials
    client_id : ClientIDofFirstApp
    client_secret : SecretofFirstApp
    scope : https://graph.microsoft.com/.default
    

    enter image description here

    Now create the permission:

    POST https://graph.microsoft.com/v1.0/sites/{sitesId}/permissions
    Content-Type: application/json
    
    {
      "roles": ["write"],
      "grantedToIdentities": [{
        "application": {
          "id": "AppIDwhichyouwanttograntpermission",
          "displayName": "SharePointApp"
        }
      }]
    }
    

    enter image description here

    Reference:

    Create permission - Microsoft Graph v1.0 | Microsoft