I'm trying to give a user access to the SharePoint API and I have a couple of scenarios I want to clarify: 1. If I create an Azure app registration with 'Sites.Selected' permission for the SharePoint API and add a client secret, how can I grant API access to a user without manually specifying their permissions for each site? Is OAuth necessary here? 2. If I create two Azure app registrations, with App A having 'Sites.FullControl.All' and App B having 'Sites.Selected', how can I use PnP PowerShell to assign permissions to App B? Microsoft documentation is a bit confusing, any guidance would be appreciated!
3 Answers
Before diving into app registrations, understand the user needs. If they're just logging in with credentials, you might not need the app registration at all. Automations are best handled with minimal permissions, so keep it limited. Grant only what's necessary.
That makes total sense! But I'm still confused about how to proceed with the automation given the permissions.
It sounds like you're trying to manage permissions efficiently! Just remember, user permissions and app permissions are separate. You can set up a PowerShell script that checks permissions on all sites for a service account and mirrors those permissions to App B, making it less manual. If you're using certificate-based auth, that's a solid approach to make the process smoother!
Could you share some snippets or tools you used? I feel lost with the setup.
Absolutely, syncing permissions with PowerShell might require some work, but it's worth it for consistency! Also, certificate-based auth is super reliable.
Just a heads-up: you can't grant API access beyond what a user can do in the UI. With OAuth, it's possible, but ensure the user has proper permissions. If you're looking for a shortcut, be careful as giving admin consent might open up risks you're trying to avoid.
Thanks for the insight! I'm definitely hesitant about admin consent, but automation seems necessary.
Is there a safer way to approach OAuth? Any resources?
Got it! You're right about minimizing access. I just thought the automation would make things easier. Appreciate the clarity.