Microsoft Graph - Access to specific site collection

When we are working with Microsoft Graph  + SharePoint Site we have to configure “Permissions” of our “App”.

If you want to know how to create an “App Registration”,”Get a client secret” and more basics topics visit the next link.

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

In most cases we could select “Sites.ReadWrite.All” to edit any SharePoint list  in any site collection.

This might work depending on your requirements, but some administrators might see this as a security risk, after all they are giving you access to their whole SharePoint sites, so how do we address this? we must request access to only one site collection.

We have to add this permission "Site.Selected".

And ask  admin consent.

The next step is configure access to specific site collection, Azure does not  have a GUI to do that, so we going to use Powershell script .

First of all we need to install PnP.Powershell.

Install-Module -Name "PnP.PowerShell"

Follow the next link to get more information https://pnp.github.io/powershell/articles/installation.html

Then, run the next script replacing the brackets values.

Connect-PnPOnline -Url 'https://[tenat].sharepoint.com/sites/[site]' -Interactive Grant-PnPAzureADAppSitePermission -AppId '[AppId]' -DisplayName '[Name]' -Site 'https://[tenat].sharepoint.com/sites/[site]' -Permissions Write

Example:

And it is Done!

The next step is validate permission was granted only for specific site "PlataMON".
I have created a console app and used Microsoft Graph library.

We can notice the query works only for the site collection configured.

Sé productivo. Sé extraordinario. Sé INAVANT.