Custom permissions for Managed Identity to authenticate with PNP PowerShell in Azure Functions

[callumlinning]

I'm using a Managed Identity to authenticate with PNP PowerShell to run a script in an Azure Function App. I have assigned my app "Sites.FullControl.All" using the following command:

Add-PnPAzureADServicePrincipalAppRole -Principal "Object ID" -AppRole "Sites.FullControl.All" -BuiltInType SharePointOnline

This works as expected. The problem is I want to be able to lock it down to run on specific sites in my tenant, so the principal doesn't have full control over all sites in the tenant. Does anyone know if this is currently possible? I know this is a relatively new cmdlet that's only available in the nightly release at the moment, but I was wondering if anyone had any experience or help to offer.

[AndersRask]

If you are using Windows Graph you can grant access to selected sites only.

The sample below shows how to do this (I don't think there is a UI way to do this yet).

• Create a Client ID and assign a secret/cert
• Grant Sites.Selected under Microsoft Graph
• Using an admin account grant specific site permissions
• Grant-PnPAzureADAppSitePermission -AppId $appRegClientId -DisplayName $appRegName -Site "https://yourtenant.sharepoint.com/sites/yoursite" -Permissions Write
• Permission can also be Read and you can see permissions using Get-PnPAzureADAppSitePermission -Site $siteUrl
• Connect to the site with the client id either using PnP.PowerShell or Rest

NOTE: If using SharePoint API you grant access to SharePoint > Sites.Selected instead
More info:

Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph - Microsoft 365 Developer Blog

How to use Microsoft graph SharePoint Sites.Selected application permission in a Azure AD application for more granular control – Mohamed Ashiq Faleel