SharePoint app only permissions

Just putting this in a post so I can refer to these myself rather than Google them each time :)

If you want to give access to SharePoint via an app registration there are two options:

  • Via an Azure AD app (the newer way)
  • Via a SharePoint app (the older way; still works, and is the only option for on-prem SharePoint)

For the SharePoint app way you can give permissions per site or for the whole tenant.

For the SharePoint app only option, just to confuse things you can create the App Registration via Azure AD (i.e. the Azure AD app way) or through SharePoint itself. I guess it’s not much of a confusion… if you have a system that works on-premises too, you obviously need a way of creating an app registration independent of Azure AD… enough with the snarkiness, Rakhesh. :)

To create an App Registration via SharePoint you go to the following Url: (replace contoso with your tenant). Here you can create the App Registration (example screenshot in this link). Then to scope the App Registration you go to either of these Urls below depending on whether you want it to be tenant level or for all sites:

  • (tenant level; e.g. from my dummy tenant

  • https://[your_site_url]/_layouts/15/appinv.aspx (site level; example from my dummy tenant & site


So far so good? To recap: 1) Create an app registration (via Azure AD or SharePoint Admin), 2) give it tenant level permissions either via the Azure AD portal or SharePoint Admin portal… or site specific permissions via the SharePoint site portal.

Now, all of the above only works if your app is using the SharePoint API. If you want to use Graph APIs to access SharePoint it’s different. In this case you create an App Registration using Azure AD (no option via SharePoint Admin; this is cloud only after all so stick with Azure AD) and you give it API permissions from the Graph API but choose Sites.Selected. (See this blog post on what to do).

To assign permissions to the selected sites you can either use Graph API calls like in that blog post or use PnP.PowerShell. All it takes is one cmdlet call with this module:

Of course $appId and $appName refers to the client ID and name of the App Registration in Azure AD. And $siteUrl is the site you want to limit to. In the above case I give Read permissions but you can also do Write.

Use the PnP.PowerShell cmdlet if possible; the alternative via Graph API is painful as you have to get the site’s Graph API reference and construct the JSON etc. Nothing wrong with it, just that it’s a bunch more cmdlets… I am lazy to even copy-paste them here. :)

So that’s it. Now I can close a bunch of tabs in my browser and remove some temporary bookmarks.

Updates: Came across these blog posts. Good stuff. At least they make an effort to explain, unlike me…