Entra ID App Registrations

Overview: MS Graph and OAuth permissions need to be assigned using Entra ID (IdP) App Registrations.

App registration - is the definition of an app (API permissions it exposes, scopes, app roles, redirect URIs, etc.).

Enterprise Application (Service principal) - the instance of that app in a Entra tenant, created after consent is granted.

Consent is granted to an Enterprise Application instance/service principal, not by an app registration.

Steps to Set up MS Graph Access for SharePoint Online (Site Collection Level Access)

1. Register a new App Reg in Entra ID

2. Add the MS Graph API Permission: Sites.Selected Delegated

3. Using PowerShell 7, install the Pnp.PowerShell module and connect to PnPOnline

PS> Install-Module PnP.PowerShell -Scope CurrentUser

PS> Connect-PnPOnline -Url https://radimaging.sharepoint.com/sites/Contracts  -ClientID <xxx-xxx> -Interactive

 

4. Assign the new App Registration to your SharePoint site, and you will need Site Collection Admin.

PS> Grant-PnPAzureADAppSitePermission  -AppId "8f468b7c-9APP-YOU-WANT-TO-GRANT"   -DisplayName "My App"  -Site "https://<tenant>.sharepoint.com/sites/<site>" -Permissions Write

Tip: You may want "Read" instead of "Write" permissions or another higher level.

5. When you access the Site for the first time, you will be asked to provide consent (the administrator can also consent on behalf of business users).

6. Verify that within Portal.azure.com > Enta ID > Manage > Enterprise Applications (find the app reg that has been consented to)

7. Connect to the site using Postman or any client to verify you have the access you need.