!!!Managing SharePoint Site Access for Applications Using Sites.Selected Permission\\
\\
The __Sites.Selected__ permission allows an app to access only the specific SharePoint sites you explicitly authorize. This wiki page provides guidance on how to grant SharePoint write access (required for __SharePoint2 protocol__ see [SharePoint Integration]) to an __App Registration__ configured in the Azure Portal. Using Sites.Selected offers a much more secure alternative to granting full access across your entire tenant. See this: [https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread]\\
\\
!!__1.__ Create an App Registration with permission Sites.FullControl.All\\
\\
__!!! Important:__ This App Registration is not the working app that will access the SharePoint site.
It is a helper/admin app, used only to configure and grant SharePoint write permissions to other apps (the real apps that will use Sites.Selected permission).\\
\\
Start at the Microsoft Azure portal: [https://azure.microsoft.com/en-us/features/azure-portal/]\\
\\
__Application registration: __Go to the App registrations and click on __New registration__:\\
\\
[SharePoint%20Integration/new_registration.png]\\
\\
The __Redirect URI (optional)__ is not required, because it will  has a __Application Permission__ only.\\
\\
Configure API Permissions:\\
\\
Navigate to API Permissions. Click on __Add a permission__ button. Select __Microsoft Graph__. Then select __Application Permission__. Search for __Sites__ and check the flag __Sites.FullControll.All__.\\
\\
[CrushTaskExample19/app_permission_sites_full_control.png]\\
\\
__Secret key__: A new client secret must be created. Go to Certificates & secrets, and generate a new client secret by clicking on New client secret. Ensure you copy over the value immediately!\\
\\
[SharePoint%20Integration/new_secret.png]\\
\\
[SharePoint%20Integration/secret_value.png]\\
\\
!!__2.__ Create an App Registration to Access SharePoint Site Documents Using the Sites.Selected Permission\\
\\
Application registration: Go to the App registrations and click on New registration. Select platform: Web and Configure redirect URL like:\\
{{{
    http://localhost:9090/register_microsoft_graph_api/
}}}
or 
{{{
    https://your.crushftp.domain.com/register_microsoft_graph_api/
}}}
\\
Navigate to API Permissions. Click on Add a permission button. Select SharePoint. Then select Delegated Permission. Search for Sites and check the flag Sites.Selected.
\\
[CrushTaskExample19/app_permission_sharepoint_site_selected.png]\\
\\
Secret key: A new client secret must be created. Go to Certificates & secrets, and generate a new client secret by clicking on New client secret. Ensure you copy over the value immediately!\\
\\
!!! 3. How to grant SharePoint access to an App Registration?\\
\\
To grant Site Access for App registration you need to do an HTTPS call:\\
{{{
POST https://graph.microsoft.com/v1.0/sites/{tenant}.sharepoint.com:/sites/{site-name}:/permissions
}}}
\\
Curl example:\\
\\
{{{
curl -X POST "https://graph.microsoft.com/v1.0/sites/contoso.sharepoint.com:/sites/Your_Site:/permissions" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "roles": ["write"],
    "grantedToIdentities": [
      {
        "application": {
          "id": "11111111-2222-3333-4444-555555555555",
          "displayName": "My Azure App Registration"
        }
      }
    ]
  }'
}}}
\\
!!! 4. Job\\
\\
Tasks:\\
[CrushTaskExample19/find_a_file.png]\\
\\
[CrushTaskExample19/get_acccess_token_variables.png]\\
\\
[CrushTaskExample19/get_access_token_http_1.png]\\
\\
[CrushTaskExample19/get_access_token_http_2.png]\\
\\
[CrushTaskExample19/parse_access_token_from_response.png]\\
\\