At line 3 changed one line |
The __Sites.Selected__ permission allows an app to access only the specific SharePoint sites you explicitly authorize. This wiki page provides guidance on how to grant SharePoint write access (required for __SharePoint2 protocol__ see [SharePoint Integration]) to an __App Registration__ configured in the Azure Portal. Using Sites.Selected offers a much more secure alternative to granting full access across your entire tenant. See this: [https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread]\\ |
The __Sites.Selected__ permission allows an app to access only the specific SharePoint sites you explicitly authorize. This wiki page provides guidance on how to grant SharePoint write access (required for __SharePoint__/__SharePoint2 protocol__ see [SharePoint Integration]) to an __App Registration__ configured in the Azure Portal. Using Sites.Selected offers a much more secure alternative to granting full access across your entire tenant. See this: [Granting access via Azure AD App-Only Link|https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread]\\ |
At line 7 changed one line |
__!!! Important:__ This App Registration is not the working app that will access the SharePoint site. |
__⚠️ Important:__ This App Registration is not the working app that will access the SharePoint site. |
At line 10 changed one line |
Start at the Microsoft Azure portal: [https://azure.microsoft.com/en-us/features/azure-portal/]\\ |
Start at the __Microsoft Azure Portal__: [Link|https://azure.microsoft.com/en-us/features/azure-portal/]\\ |
At line 12 changed one line |
__Application registration: __Go to the App registrations and click on __New registration__:\\ |
__Application registration:__ Navigate to App registrations in the Azure Portal. Click on __New registration__ to create a new application.\\ |
At line 18 changed one line |
Configure API Permissions:\\ |
__Configure API Permissions__: Navigate to API Permissions. Click on __Add a permission__ button. Select __Microsoft Graph__. Then select __Application Permission__. Search for __Sites__ and check the flag __Sites.FullControll.All__.\\ |
At line 20 removed 2 lines |
Navigate to API Permissions. Click on __Add a permission__ button. Select __Microsoft Graph__. Then select __Application Permission__. Search for __Sites__ and check the flag __Sites.FullControll.All__.\\ |
\\ |
At line 24 changed one line |
__Secret key__: A new client secret must be created. Go to Certificates & secrets, and generate a new client secret by clicking on New client secret. Ensure you copy over the value immediately!\\ |
⚠️ Grant __Admin consent__ for the newly added permission.\\ |
At line 24 added 4 lines |
[SharePoint Integration/app_permission_admin_consent.png]\\ |
\\ |
__Secret key__: A new client secret must be created. Go to Certificates & secrets, and generate a new client secret by clicking on New client secret. ⚠️ Ensure you copy over the value immediately!\\ |
\\ |
At line 34 added 2 lines |
Start at the Microsoft Azure Portal: [Link|https://azure.microsoft.com/en-us/features/azure-portal/]\\ |
\\ |
At line 35 changed 3 lines |
}}} |
or |
{{{ |
or |
At line 41 changed one line |
Navigate to API Permissions. Click on Add a permission button. Select SharePoint. Then select Delegated Permission. Search for Sites and check the flag Sites.Selected. |
Navigate to API Permissions. Click on Add a permission button. Select SharePoint or Microsoft Graph. Then select Delegated/Application Permission. Search for Sites and check the flag Sites.Selected.\\ |
At line 45 added 2 lines |
__2.1 App Permissions for SharePoint REST API__ (See at: [Link|https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service?tabs=csom]):\\ |
\\ |
At line 49 added 2 lines |
__2.2 App Permissions for Microsoft Graph API__ (See at: [Link|https://learn.microsoft.com/en-us/sharepoint/dev/apis/sharepoint-rest-graph]):\\ |
\\ |
At line 47 changed one line |
Secret key: A new client secret must be created. Go to Certificates & secrets, and generate a new client secret by clicking on New client secret. Ensure you copy over the value immediately!\\ |
⚠️ Grant __Admin consent__ for the newly added permission.\\ |
At line 55 added 4 lines |
[SharePoint Integration/app_permission_admin_consent.png]\\ |
\\ |
__Secret key__: A new client secret must be created. Go to Certificates & secrets, and generate a new client secret by clicking on New client secret. ⚠️ Ensure you copy over the value immediately!\\ |
\\ |
At line 138 changed one line |
}}} |
}}}\\ |
At line 152 added 4 lines |
Sample job.XML can be downloaded here: [CrushTaskExample19/job.XML]\\ |
\\ |
[CrushTaskExample19/grant_sharepoint_site_access_job.png]\\ |
\\ |
At line 159 added 7 lines |
Find any local file on the server. Settings:\\ |
{{{ |
Don't Add Folders: true |
Max Items to Find: 1 |
Depth: 1 |
}}}\\ |
\\ |
At line 167 added 14 lines |
You need the following variables to obtain an access token:\\ |
{{{ |
sites_full_control_client_id = XXXX-XXX-XXX-XXX |
(See at App Registration -> Overview -> Application (client) ID) |
|
sites_full_control_client_secret_password = XXXX-XXX-XXX-XXX |
(See at App Registration -> Manage -> Certificates & secrets) |
|
tenant_id = XXXX-XXX-XXX-XXX |
(See at App Registration -> Overview -> Directory (tenant) ID) |
|
get_access_token_http_post_data = client_id={sites_full_control_client_id}&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret={sites_full_control_client_secret_password}&grant_type=client_credentials |
|
}}}\\ |
At line 184 added 12 lines |
{{{ |
|
URL : https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token |
|
HTTP Method: POST |
|
POST Data: {get_access_token_http_post_data} |
|
Expected Response Codes: 200,204 |
|
}}}\\ |
\\ |
At line 151 changed one line |
[CrushTaskExample19/check_response_code.png]\\ |
{{{ |
|
Header: Content-Type application/x-www-form-urlencoded |
|
}}}\\ |
At line 204 added 2 lines |
}}}\\ |
\\ |
At line 208 added 8 lines |
{{{ |
|
access_token_response = {json_parse_start}{http_response_log}{json_parse_end} |
|
sharepoint_site_relative_path = YOUR.sharepoint.com:/sites/YOUR_Site_Path/: |
|
}}} |
\\ |
At line 218 added 10 lines |
{{{ |
|
URL: https://graph.microsoft.com/v1.0/sites/{sharepoint_site_relative_path}/permissions |
|
HTTP Method: GET |
|
Expected Response Codes: 200,204 |
|
}}} |
\\ |
At line 159 changed one line |
[CrushTaskExample19/check_response_code.png]\\ |
{{{ |
|
Header: Authorization Bearer {access_token} |
|
Header: Accept application/json |
|
}}}\\ |
At line 238 added 59 lines |
[CrushTaskExample19/new_permission_related_variables.png]\\ |
\\ |
{{{ |
|
site_slected_app_id = XXXX-XXX-XXX-XXX |
(See at App Registration -> Overview -> Application (client) ID) |
|
identity_name = CrushFTP - Grant Write Access to App Registration - {site_slected_app_id} |
|
sharepoint_grant_permission_http_post_data = {n} |
"roles": [{n} |
"write"{n} |
],{n} |
"grantedToIdentities": [{n} |
{{n} |
"application": {{n} |
"id": "{site_slected_app_id}",{n} |
"displayName": "{identity_name}"{n} |
}{n} |
}{n} |
]{n} |
} |
|
}}}\\ |
\\ |
[CrushTaskExample19/new_permission_http_1.png]\\ |
\\ |
{{{ |
|
URL : https://graph.microsoft.com/v1.0/sites/{sharepoint_site_relative_path}/permissions |
|
HTTP Method: POST |
|
POST Data: {sharepoint_grant_permission_http_post_data} |
|
Expected Response Codes: 201,204 |
|
}}}\\ |
\\ |
[CrushTaskExample19/new_permission_http_2.png]\\ |
\\ |
{{{ |
|
Header: Authorization Bearer {access_token} |
|
Header: Content-Type application/json |
|
Header: Accept application/json |
|
}}}\\ |
\\ |
Reload the site permissions, including the newly created one.\\ |
\\ |
[CrushTaskExample19/get_site_permission_http_1.png]\\ |
\\ |
[CrushTaskExample19/check_new_permission.png]\\ |
\\ |
[CrushTaskExample19/error_handler_task.png]\\ |
\\ |