Granting access via Entra ID Application Permissions does not provide least privilege guidelines

[mundayn]

What type of issue is this?

Documentation issue / typo

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Target SharePoint environment

SharePoint Online

What browser(s) / client(s) have you tested

• 💥 Internet Explorer
• 💥 Microsoft Edge
• 💥 Google Chrome
• 💥 FireFox
• 💥 Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

• browser version
• SPFx version
• Node.js version
• etc

Issue description

Page: https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

Hi team,

This page does not provide any guidance for using Sites.Selected, only full tenant wide access, which is not following best security practices.

It would benefit the community to provide a zero trust, least privilege method of providing access using Sites.Selected.

Thank you,

[Ashlesha-MSFT]

Hello @mundayn,
Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.
If you don’t receive a reply within two working days, please use this escalation form to escalate.

[Ashlesha-MSFT]

@mundayn,
We understand your concern regarding the use of tenant-wide permissions and the lack of guidance around using Sites.Selected for least-privilege access.

I will connect with the engineering team to get more clarity on the supported permission model and to understand whether updates or additional guidance can be provided for this scenario. I’ll follow up with you once I have more information.

Thanks again for bringing this to our attention.

[jansenbe]

@mundayn : here's the docs on sites.selected and additional scopes that provide even more granular access at library/list or file/listitem level. https://learn.microsoft.com/en-us/graph/permissions-selected-overview?tabs=http

[mundayn]

Thanks @jansenbe - I am aware of this document and it is not referenced here, which is the main page for permissions for SPO, but, it is also not very intuitive for the normal Entra admin, using Graph and posting endpoints is most M365 admins nightmare.

So two things in my opinion;

1. Update this page to advise why using broad permissions is not recommended, and advise to use Sites.Selected when possible.
2. Update the PowerShell scripts to provide a way to use Sites.Selected
   -- I assume it may be as easy as just updating "-SharePointApplicationPermissions "Sites.Selected" `"
   -- Then running:
   Grant-PnPAzureADAppSitePermission -AppId $clientId -DisplayName $DisplayName -Permissions $Permission -Site $SiteURL

Recommended text:

Avoid Overly Broad Permissions:
When granting SharePoint permissions to an Entra ID application, do not use Sites.FullControl.All unless absolutely necessary. This permission gives the app full control over all site collections in your tenant, which significantly increases security risk and violates the principle of least privilege.

Recommended Approach:
Use Sites.Selected wherever possible. This permission allows you to grant access only to specific site collections, reducing exposure and improving compliance with security best practices. After assigning Sites.Selected, you can explicitly grant access to individual sites using Microsoft Graph or PowerShell.
Benefits of Sites.Selected:

Limits scope to only the sites the app needs.
Reduces risk of accidental or malicious changes across all sites.
Aligns with Zero Trust and least-privilege principles.