Granting permissions to subset of site collections using Sites.Selected permissions

[remar27]

What type of issue is this?

Question

What SharePoint development model, framework, SDK or API is this about?

SharePoint CSOM

Target SharePoint environment

SharePoint Online

What browser(s) / client(s) have you tested

• 💥 Internet Explorer
• 💥 Microsoft Edge
• 💥 Google Chrome
• 💥 FireFox
• 💥 Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

• browser version
• SPFx version
• Node.js version
• etc

Issue description

Hello,

As recently announced, SharePoint Add-Ins will soon be retired, and starting from November 2024, new tenants will no longer be able to use SharePoint Add-Ins, regardless of their origin (public marketplace or private tenant catalog).

Our company has developed numerous provider-hosted SharePoint Add-Ins deployed across various organizations. We are currently exploring options to migrate these solutions to the Web App type registered in Azure Entra. The provider-hosted SharePoint Add-Ins currently utilize CSOM, making the migration path easiest through SharePoint API permissions. The required permissions are limited to accessing SharePoint data (such as AllSites.FullControl, AllSites.Manage, AllSites.Read...) and application permissions (Sites.FullControl.All, Sites.ManageAll, Sites.ReadAll, Sites.Selected).

However, permissions like AllSites.Read or Sites.ReadAll grant access to sensitive data that cannot be provided to our apps. Therefore, permissions like Sites.Selected would ideally suit our needs. Unfortunately, while attempting to use these permissions, we have found it challenging to control which sites are permitted access and to manage these permissions via the UI or admin center. The web app permission consent screen suggests configuration possibilities within SharePoint Online, but I believe this information is incorrect.

Could anyone confirm if there are current possibilities or future plans to implement UI-based management of SharePoint permissions for the Web App by admins? I'm aware of alternatives like the MS Graph API or PowerShell for granting and managing permissions. However, these methods might be cumbersome and won't allow for easy adoption of the web app without detailed instructions for admins on configuring SP permissions.

Thank you,
Martin

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[remar27]

After further research, I discovered that you can assign permissions to the app for a particular site using the MS Graph API, but your app must have Sites.FullControl.All permissions (https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http). This requirement seems like too much overhead. Additionally, while you can develop a second web app for permission management that utilizes MS Graph and Sites.FullControl.All permissions, this approach seems absurd.

[LuwkasLima]

Great description @remar27.

I've recently got to a similar issue where I need to grant "Sites.FullControl.All" to my Generative AI platform Application ID in order to pull site group permissions when executing indexing of SharePoint sites. Our Cyber Security and Sharepoint teams did not like it for obvious reasons, and we had to escalate it internally to Microsoft.

Long story short, the only solution we found was to centralize the control of the Application ID to a specific team in our organization and construct an API wrapper around it to constraint our platform's actions to the SharePoint site through Graph API.

@nick-pape have we got any progress on this topic you could share with us or a suggestion for workaround? Thank you!

[Ashlesha-MSFT]

@remar27,
The Sites.Selected permission works as designed, but there's currently no UI support to manage it easily in the SharePoint or Microsoft 365 Admin Center. Admins are forced to use Graph API or PowerShell, which requires over-privileged permissions just to assign limited access — this creates unnecessary complexity and security concerns.
This is not a bug but a feature request.
You can officially submit a feature request here: https://feedbackportal.microsoft.com/feedback/forum/06735c62-321c-ec11-b6e7-0022481f8472