Share via

Vendor app needs read/write permission to all of our ShP sites

reza admin 140 Reputation points
2026-05-23T23:47:24.8166667+00:00

Hello

Our vendor needs access to one of our Specific ShP sites whose url I have provided to them.

However, the message that I need to approve to give access is showing "all site collections", below,

User's image

our vendor is saying that this is a standard message and there is nor way around it.

Any help would be appreciated

Thanks

Microsoft 365 and Office | SharePoint | For business | Windows
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sophie N 15,040 Reputation points Microsoft External Staff Moderator
    2026-05-24T01:25:02.2333333+00:00

    Dear @reza admin,

    The vendor is technically correct regarding this specific Entra ID (Azure AD) application consent screen, but there is a modern, secure way around it to restrict their access to only a single SharePoint site.

    The "SharePoint Backups Connector" app is requesting the AllSites.Write Graph API permission. When using this specific application-level permission, Microsoft's default consent prompt warns that it applies to "all site collections." If you click Accept, the vendor will indeed gain read/write access to your entire SharePoint tenant.

    Instead of granting tenant-wide access, you can restrict the vendor's app to a single specific site collection using Microsoft's Sites.Selected application permission.

    Here is how you can implement this secure workaround:

    1. Ask the vendor to change the requested permission: Have the vendor update their app registration to request the Sites.Selected permission instead of AllSites.Write (or Sites.FullControl.All). User's image For detailed step-by-step instructions and technical validation, you can refer to the official Microsoft guide: Controlling insights and app access to SharePoint sites via Sites.Selected.
    2. Grant consent for the app: Once they update it, you can safely accept the prompt, as the app will initially have access to zero sites.
    3. Assign permissions to the specific site: Use SharePoint Online PowerShell to grant the vendor's application explicit access only to the single required site URL.

    Run the following PowerShell command as a SharePoint Administrator:

    # Connect to your SharePoint Online Admin center 
Connect-SPOService -Url "https://yourtenant-admin.sharepoint.com"
# Grant Write access to the vendor's App ID for the specific site 
Grant-PnPAzureADAppSitePermission -AppId {client-id} -DisplayName {display-name} -Permissions <Read|Write|Manage|FullControl> -Site {site-object}

    Please refer to this document: Understanding Resource Specific Consent for Microsoft Graph and SharePoint Online | Microsoft Learn

    Please understand that I don't have a testing environment for this vendor, so I can only provide Microsoft's code and documentation for reference. Please test it directly in your own environment.

    I hope this helps you make an informed decision. Please let me know if you have further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

  2. AI answer

    2026-05-23T23:47:39.88+00:00

    The consent dialog is accurate: the app is requesting a permission scope that applies to all site collections, not just the single SharePoint site that was shared with the vendor.

    From the permissions reference:

    • Sites.Read.All / Sites.ReadWrite.All / Sites.Manage.All / Sites.FullControl.All are tenant‑wide scopes. They allow the app to read, write, manage, or have full control of all site collections in the tenant, either as delegated or application permissions.
    • These permissions are designed to give broad access and explicitly state “in all site collections.”

    Because of that:

    1. Approving this request will grant the vendor’s app the ability to edit or delete items across all SharePoint site collections, not just the one URL provided.
    2. There is no way to technically constrain a consented Sites.*.All permission to a single site collection; the scope is global by design.
    3. If only one site should be accessible, the vendor must instead use a model that supports resource-specific consent (RSC) or site‑scoped permissions, where permissions are granted per site rather than via Sites.*.All.

    If the vendor insists this is “standard” and cannot be changed, that means their current app design relies on tenant‑wide SharePoint permissions. In that case, the decision is purely risk/governance: either accept that level of access or require them to redesign to use site‑scoped permissions.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.