![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 73%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPT%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | SharePoint | Development
The process of building custom applications and tools that interact with Microsoft SharePoint, including SharePoint Online in Microsoft 365.
Use a Sites.Selected permission model and grant the PowerShell app access only to the specific site.
High-level steps:
- Register or identify the Microsoft Entra application used by the PowerShell script.
- Assign it only
Sites.Selected(notSites.Read.AllorSites.FullControl.All) in Microsoft Graph / SharePoint. - Grant site-level permissions for just the target site using PnP PowerShell.
From the context, PnP PowerShell supports resource-specific consent (RSC) for SharePoint Online:
- Connect to the target site with PnP PowerShell (using an admin account):
Connect-PnPOnline -Url https://contoso.sharepoint.com/sites/TargetSite -Interactive - Grant the Entra app permissions only on that site:
Grant-PnPAzureADAppSitePermission \ -AppId {client-id} \ -DisplayName "PowerShell App" \ -Permissions Write \ -Site (Get-PnPSite)-
{client-id}is the Entra app’s client ID used by the PowerShell script. -
-Permissionscan beRead,Write,Manage, orFullControldepending on what the script needs.
-
This grants the app access only to that specific site collection. Because the app has only Sites.Selected at the tenant level, it cannot access any other sites unless similar site-level permissions are granted elsewhere.
When running the PowerShell script, authenticate using that Entra app (for example via certificate-based auth with PnP PowerShell or Microsoft Graph SDK). The script will then be limited to the designated site.
References: