I'm trying to give a user access to the SharePoint API and I have a couple of scenarios I want to clarify: 1. If I create an Azure app registration with 'Sites.Selected' permission for the SharePoint API and add a client secret, how can I grant API access to a user without manually specifying their permissions for each site? Is OAuth necessary here? 2. If I create two Azure app registrations, with App A having 'Sites.FullControl.All' and App B having 'Sites.Selected', how can I use PnP PowerShell to assign permissions to App B? Microsoft documentation is a bit confusing, any guidance would be appreciated!
2 Answers
It sounds like you're trying to manage permissions efficiently! Just remember, user permissions and app permissions are separate. You can set up a PowerShell script that checks permissions on all sites for a service account and mirrors those permissions to App B, making it less manual. If you're using certificate-based auth, that's a solid approach to make the process smoother!
Absolutely, syncing permissions with PowerShell might require some work, but it's worth it for consistency! Also, certificate-based auth is super reliable.
Just a heads-up: you can't grant API access beyond what a user can do in the UI. With OAuth, it's possible, but ensure the user has proper permissions. If you're looking for a shortcut, be careful as giving admin consent might open up risks you're trying to avoid.
Thanks for the insight! I'm definitely hesitant about admin consent, but automation seems necessary.
Is there a safer way to approach OAuth? Any resources?
Could you share some snippets or tools you used? I feel lost with the setup.