Programmatic access to a SharePoint Online site

Last updated: November 16, 2023
Audience: IT Staff / Technical

You may have a valid business need to access a single SharePoint Online site via code. That sort of access can only be accomplished via use of OAuth. Microsoft provides several solutions for this via Microsoft Graph. However, depending on the approach, those solutions may require what are generally broad & risky permissions, i.e. getting admin consent for OAuth permission scopes, which depending on the permission may mean your identity has access to *all* SharePoint Online resources. This generally is not acceptable–it is too risky to allow any account access to all UW SharePoint Online data. In other words any solutions that require Sites.FullControl.All are a non-starter. Microsoft has recognized this problem and provided several solutions to limit the effective scope.

Solution 1: SharePoint App-only permissions

Follow the steps described at https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs. This includes creating an Entra ID application & granting the permissions to that application.

This solution can be implemented by a site collection admin without any involvement from UW-IT required.

Solution 2: OAuth application permissions OAuth scope Sites. Selected

  1. Get an Entra ID application identity created. Entra ID application creation & configuration is mostly a self-service activity. We’ve created documentation about the many related activities at: https://itconnect.uw.edu/wares/msinf/aad/apps/integration/.
  2. Configure the code using that Entra ID app identity using the OAuth client credential grant flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
  3. That Entra ID app will need to be configured to use the MS Graph API with Sites.Selected permission scope. The permission scope will need to be configured to be OAuth application permissions (not delegated permissions): https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#permission-types
  4. Open a risky Entra ID application admin consent request: https://itconnect.uw.edu/wares/msinf/aad/apps/risky-aad-app-perms/
    1. In that request ask for admin consent for the Sites.Selected OAuth permission scopes. You can reference https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/ as justification because “Sites.Selected. Choosing this permission for your application instead of one of the other permissions will, by default, result in your application not having access to any SharePoint site collections.”
  5. The Site Collection Administrator(s) will need to grant the application permissions. This can be accomplished in two different ways including:
    1. Make MS Graph call of “POST https://graph.microsoft.com/v1.0/sites/{siteId}/permissions” where {siteId} is your site’s identifier, as described at https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/. Note that using the MS Graph Explorer may be the easiest way to accomplish this.
    2. Productivity Platform Recharge Request: https://itconnect.uw.edu/connect/productivity-platforms/pplat-recharge-services/
      1. In that request ask them to run:
        1. Grant-PnPAzureADAppSitePermission -AppId ‘AzureAppIdwithSitesdotselectedpermission’ -DisplayName ‘App Name here’ -Site ‘https://tenantname.sharepoint.com/sites/sitename’ -Permissions Write
        2. Documentation for this cmdlet is here: https://github.com/pnp/powershell/blob/dev/documentation/Grant-PnPAzureADAppSitePermission.md and as noted, it requires permissions that the Site Collection Administrator does not have, but that the PPlat team can grant upon request from the Site Collection Admin. Write permissions are noted above, but Read permissions are possible instead.

SharePoint Designer 2013 login issues in a cloud scenario

Microsoft SharePoint Designer 2013 can be used to create workflows, change design of classic pages and do much more. When you work SharePoint Designer 2013 with Microsoft 365 SharePoint Online, you may get some login issues. To avoid login issues, make sure that SharePoint Designer 2013 and Office are up to date by using Windows Update:

https://docs.microsoft.com/en-us/sharepoint/troubleshoot/sharing-and-permissions/login-issues-in-a-cloud-scenario

Additional resources

Watch a YouTube video on using PNP to connect to SharePoint Online