🔐 Managing SharePoint with an Azure App using Sites.Selected Permissions
Use Cases
Why even go through this setup? Here's where this setup totally makes sense:
You want to manage SharePoint without using personal credentials (aka ditch the annoying login prompts).
You need to upload, download, or tweak files in SharePoint from scripts or automated jobs.
You want to build automation workflows that don’t ask you to "Sign in with Microsoft" every five minutes.
🔍 "Manage" means Read, Write, and even changing permissions
How Azure Permissions Work
Before we dive in, let’s get our heads around two key types of Azure API permissions:
Delegated permissions: These require a signed-in user. Think "act on behalf of a user" — good for interactive apps.
Application permissions: These don’t need a user at all. Perfect for automation and backend stuff. Full freedom with the right consents.
The key player here? Sites.Selected permission. It’s available in both modes, but we’re going with Application permission because we’re all about that sweet non-interactive automation.
Prerequisites
Here’s what you need to follow along:
PowerShell with the PnP module
An Azure AD Application (we’ll set it up in a sec)
Admin consent for Graph API permissions
Access to the SharePoint site you wanna manage
Step-by-Step
1. Register a New Azure App
Go to Azure Portal → App registrations → New registration.
2. Add Permissions
Go to your app → API permissions → Add:
Sites.FullControl.All(used only temporarily)Sites.Selected
🛑 Heads-up: You must request admin consent for these permissions. Microsoft requires Sites.FullControl.All to grant site-specific permissions via Sites.Selected.
3. Create a Certificate
Use PowerShell to generate a cert:
New-PnPAzureCertificate -OutPfx pnp.pfx -OutCert pnp.cer -CommonName <tenant>.sharepoint.com
Now you’ve got pnp.pfx and pnp.cer.
4. Import Certificates
Browse to the folder, then import both files to Current User → just Next → Finish.
5. Upload Certificate to Azure
In the Azure Portal, go back to your app → Certificates & secrets → Certificates tab → Upload pnp.cer
💡 Save the Thumbprint — you'll need it soon.
6. Connect to SharePoint + Grant Permissions
Let’s put this all together in PowerShell:
$siteUrl = "https://<tenant>.sharepoint.com/sites/<site>"
$tenant = "<tenant>.sharepoint.com"
$clientId = "<Azure Application ID (clientId)>"
$certThumbprint = "<obtain above>"
Connect-PnPOnline -Url:$siteUrl -ClientId:$clientId -Thumbprint:$certThumbprint -Tenant:$tenant
# FullContol/Read/Write/Manage permission https://pnp.github.io/powershell/cmdlets/Grant-PnPAzureADAppSitePermission.html
Grant-PnPAzureADAppSitePermission -Sưite $siteUrl -AppId $clientId -DisplayName "SharePoint Permission" -Permissions "Write"
# Check
Get-PnPAzureADAppSitePermission -Site $siteUrl -AppIdentity $clientId
Now your app officially has access to that SharePoint site with Sites.Selected.
7. Clean Up
Once everything works, you can go back and remove Sites.FullControl.All permission. You don’t need it anymore — your app’s now living on like a pro.
Final Thoughts
Using Sites.Selected with application permissions is low-key one of the best ways to build secure, automated SharePoint workflows — especially when you wanna keep things headless and passwordless.
You get fine-grained control, and you can automate all the boring stuff without needing to run it interactively. SysOps, Power Users, and Scripters — this one's for you.
Let me know if you want a follow-up post on automating uploads/downloads using this setup. Happy scripting! 🚀💻
