This directory contains PowerShell scripts and batch file wrappers for managing SharePoint site permissions for applications via Microsoft Graph API.
Microsoft Graph API only supports SITE-LEVEL permissions for applications.
- Permissions granted apply to ALL libraries in the SharePoint site
- There is no library-specific permission granularity for applications
- Library access control must be implemented in your application logic
| Script | Purpose |
|---|---|
grant-library-access.ps1 |
Grant site-level permissions to an application |
grant-access.bat |
Batch wrapper for grant script |
check-library-access.ps1 |
Check existing site permissions |
check-access.bat |
Batch wrapper for check script |
revoke-site-access.ps1 |
Revoke (delete) site permissions for an application |
revoke-access.bat |
Batch wrapper for revoke script |
- Go to Azure Portal
- Sign in with your organizational account
- Search for "Azure Active Directory" or "Microsoft Entra ID"
- Click "App registrations" in the left menu
- Click "+ New registration"
- Fill in the application details:
- Name: your preferred name
- Supported account types: Select "Accounts in this organizational directory only (Single tenant)"
- Redirect URI: Leave blank (not needed for service-to-service)
- Click "Register"
After registration, you'll see the Overview page. SAVE THESE VALUES:
Application (client) ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Directory (tenant) ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
📝 You'll need these for Step 4 (Running Scripts)
Add Application Permissions (for service-to-service scenarios):
- In your app registration, click "API permissions" in the left menu
- Click "+ Add a permission"
- Select "Microsoft Graph"
- Select "Application permissions"
- Search and add these permissions:
Sites.Selected- Access selected site collections (⭐ Recommended for granular control)
Add Delegated Permissions (for user-context scenarios):
-
Click "+ Add a permission" again
-
Select "Microsoft Graph"
-
Select "Delegated permissions"
-
Search and add these permissions:
email- View users' email addressoffline_access- Maintain access to data you have given it access toopenid- Sign users inprofile- View users' basic profile
-
Click "Add permissions"
- Click "✓ Grant admin consent for [Your Organization]"
- Click "Yes" to confirm
- Verify all permissions show "✓ Granted for [Your Organization]" with a green checkmark
Expected permissions table:
| Permission | Type | Admin Consent Required | Status |
|---|---|---|---|
| Delegated | No | ✓ Granted for [Your Org] | |
| offline_access | Delegated | No | ✓ Granted for [Your Org] |
| openid | Delegated | No | ✓ Granted for [Your Org] |
| profile | Delegated | No | ✓ Granted for [Your Org] |
| Sites.Selected | Application | Yes | ✓ Granted for [Your Org] |
- In your app registration, click "Certificates & secrets" in the left menu
- Click "+ New client secret"
- Add description:
SharePoint Access Secret - Set expiration:
- Recommended: 180 days or 1 year (more secure)
- Development: 24 months (for long-term dev environments)
- Click "Add"
After creation, you'll see:
Description Secret ID Value Expires
─────────────────────────────────────────────────────────────────────────────
SharePoint Access Secret xyz123... abc~xyz789... MM/DD/YYYY
SAVE THIS IMMEDIATELY:
Client Secret Value: abc~xyz789...
📝 This value is shown ONLY ONCE. Store it securely (e.g., Azure Key Vault, password manager).
You now have all the required information:
| Setting | Where to Find | Example Value |
|---|---|---|
| Tenant ID | App Overview page → Directory (tenant) ID | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| App ID | App Overview page → Application (client) ID | yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy |
| Client Secret | Certificates & secrets → Value (copied in Step 3) | abc~xyz789... |
| Site URL | Your SharePoint site URL | https://contoso.sharepoint.com/sites/demo |
- Go to your SharePoint site in a browser
- Copy the URL from the address bar
- Use only the base site URL (without document library paths)
Examples:
- ✅ Correct:
https://contoso.sharepoint.com/sites/demo - ❌ Wrong:
https://contoso.sharepoint.com/sites/demo/Shared%20Documents - ❌ Wrong:
https://contoso.sharepoint.com/sites/demo/
Create a .env file from sample file and update the settings:
The scripts will auto-install if needed, but you can install manually:
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser -Force
Install-Module Microsoft.Graph.Sites -Scope CurrentUser -ForceYour Azure AD user account needs one of these roles to run the scripts:
- Global Administrator
- SharePoint Administrator
- Site Collection Administrator (for the specific site)
To check your roles:
- Azure Portal → Azure Active Directory
- Users → [Your User] → Assigned roles
Create the .bat files from the sample files and update the variables
Grant Permission:
cd scripts
grant-access.batCheck Permissions:
check-access.batRevoke Permission:
revoke-access.batcd scripts
.\grant-library-access.ps1 `
-TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" `
-SiteUrl "https://contoso.sharepoint.com/sites/demo" `
-AppId "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy" `
-Permission "write"Parameters:
TenantId(required) - From Step 4: Directory (tenant) IDSiteUrl(required) - From Step 4: SharePoint site URLAppId(required) - From Step 4: Application (client) IDPermission(optional) -readorwrite(default:write)
.\check-library-access.ps1 `
-TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" `
-SiteUrl "https://contoso.sharepoint.com/sites/demo" `
-AppId "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"Expected Output:
Site Permissions Found: 1
Permission ID: aTowaS50...
Roles: write
App ID: yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
App Name: SharePoint Automation App
*** MATCH: This is your specified app! ***
.\revoke-site-access.ps1 `
-TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" `
-SiteUrl "https://contoso.sharepoint.com/sites/demo" `
-AppId "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"Never store: Client Secret (this IS a secret - use Key Vault or .env files in .gitignore)