Traditionally, SharePoint permissions were managed at site level, via groups and roles. However, administrators of SharePoint site collections can no longer register applications or update their permissions directly. When updating permissions via the AppInv.aspx page, an error message appears:
"Your SharePoint administrator does not allow site owners to update application permissions. Contact your SharePoint administrator."
Authorization management is now handled by Microsoft Entra ID (Azure AD) and the Microsoft Graph API. These tools enable the implementation of much more granular and targeted authorizations, such as Sites.Selected, which improve security and access management for applications.
Key features of Sites.Selected :
1. Granular access control
Rather than granting access to all applications on all sites, administrators can now specify particular sites to which applications have access. This minimizes the risk of unauthorized access to sensitive data, and ensures that each application only has access to the resources it needs.
2. Enhanced safety
By limiting application access permissions to selected SharePoint sites, organizations can better protect their sensitive information and meet the requirements of data protection regulations. This authorization model provides an additional layer of protection by allowing only critical access.
3. Simplified management
They can manage site-specific permissions via the SharePoint Administration Center or PowerShell commands such as Grant-PnPAzureADAppSitePermission. This simplifies the granting and revocation of access, while maintaining rigorous authorization tracking. Administrators can choose between different authorization levels: FullControl, Read, Manage, Write.
๐ ๏ธ Configuration steps :
1. Application registration in Microsoft Entra ID
Start by configuring the application in Microsoft Entra ID (Azure AD) with Sites.Selected authorization for SharePoint. This allows you to manage access to specific sites instead of the whole tenant. You can also define other permission levels to suit your needs.
2. Adding authorizations to a specific site
Use PnP PowerShell to connect to SharePoint administration. Next, use the Grant-PnPAzureADAppSitePermission command to assign permissions to the application on the target site. You can set permissions such as FullControl, Read, Manage, or Write.
3. Solution test
Test your configuration by trying to add an item to a SharePoint list. If permissions are correctly applied, only authorized actions will be possible.
Conclusion
Sites.Selected permission in SharePoint Online offers precise control over application access to specific sites, reinforcing security and ensuring compliance. By implementing this authorization model, organizations can optimize access management while protecting sensitive data. This granular model is a must for maintaining a secure collaborative environment as SharePoint evolves.
#SharePoint #AzureAD #PnP #Security #PowerShell #MicrosoftGraph #Collaboration
