Does Grant-PnPAzureADAppSitePermission require Global Admin?

[nickvila-msft]

Hi
I am trying to understand the least privilege assignment needed to run this cmd. Documentation states the following:

https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins-modernize/understanding-rsc-for-msgraph-and-sharepoint-online
Once the Sites.Selected application permission is assigned and granted, the application still can't access any target site collection. In order to be able to access any target site, you'll need a tenant global admin or an application with Sites.FullControl.All application permission to grant explicit permissions for the selected target sites.

However this seems counter-intuitive. Sites.FullControl.All seems less privilege compared to Global Admin. Why does the command require only SPO Rights when running under an application context versus Global Admin rights when running under a user context? In fact, when I run the command using an account that is only SharePoint Online Service Admin AND site collection admin of the target site, it runs successfully.

Is it fair to say this command does not require Global Admin but rather can be run with just SPO Admin rights?

[waaromikniet]

What cmd do you use to set up your connection and grant permissions?

[AndersRask]

Can you describe step-by-step how you grant permissions with a SPO Admin user?
Below you can see the result for an SPO and a Global Admin, where Grant is greyed out for the SPO admin.
I have always used GA for the grant part (for creating etc it is not necessary). I can't recall using a app to grant for a Sites.Selected app, but yes, it does sound a bit counter intuitive that it should be enough with full control to grant for other sites. Did you test this?

[nickvila]

Yes here are the steps:

1. Global Admin must configure an App Registration with Application Permissions - Sites.Selected permissions and grant consent

2. SPO Admin can connect to PNP PowerShell module with these commands:

`##Connect to PNP Admin with SPO Admin Credentials
$UserName="aroberts@vilaces.com"
$Password = "*******"
$SecurePassword = ConvertTo-SecureString -String $Password -AsPlainText -Force
$Cred = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $UserName, $SecurePassword

$HashArguments = @{
Url = $clientSiteURL
Credentials = $cred
}
$arobertsConn = Connect-PnPOnline @HashArguments -ReturnConnection`

3. SPO Admin can run the PNP command to grant the Application ID created in Step 1 access to a specific site collection:

Grant-PnPAzureADAppSitePermission -AppId '7cba41c5-5ebe-4235-aff9-7559bd9b3190' -DisplayName 'SPO List Alerts' -Site 'https://m365x062601.sharepoint.com/sites/Pharmacy3' -Permissions 'Write' -Connection $arobertsConn

4. This application ID can now connect to the above listed site with Application permissions: