[BUG] Grant-PnPAzureADAppSitePermissions does not work for Non-Site Collection Admins

[danielcecil]

Reporting an Issue or Missing Feature

Issue when running the command as a SharePoint Administrator only without Site Collection Admin role. The Graph API command to add site permissions should allow this without Site Collection Admin (ref: https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http)

However the PnP implementation looks up the SiteId from the Graph API which requires Site Collection Administrator role on the associated site
(ref: https://learn.microsoft.com/en-us/graph/api/site-get?view=graph-rest-1.0&tabs=http)

Affected line:

powershell/src/Commands/Apps/GrantAzureADAppSitePermission.cs

Line 40 in 495a2b3

siteId = Site.GetSiteIdThroughGraph(Connection, AccessToken);

Note that the above function returns the SiteId, which is also available from (Get-PnPTenantSite ...).SiteId which can be retrieved with the SharePoint Administrator role only.

Expected behavior

This command should be able to be run by users with the SharePoint Administrator role using Delegated permissions.

Actual behavior

VERBOSE: Cmdlet execution started for Grant-PnPAzureADAppSitePermission -Site "<SiteUrl>" -Connection $DevAdminConnection -Permissions Read -AppId "<AppId>" -DisplayName "PnP - Sites.Selected" -Verbose VERBOSE: Using Microsoft Graph to lookup the site Id of the passed in site using -Site

Grant-PnPAzureADAppSitePermission: {"error":{"code":"accessDenied","message":"Access denied","innerError":{"date":"2025-12-19T11:30:50","request-id":"<id>","client-request-id":"<id>"}}}

Steps to reproduce behavior

Run the command on a Site Collection where you are not a Site Collection Admin (e.g. another user's OneDrive site) but are a SharePoint Administrator role.

What is the version of the Cmdlet module you are running?

3.1.0

Which operating system/environment are you running PnP PowerShell on?

• Windows
• Linux
• MacOS
• Azure Cloud Shell
• Azure Functions
• Other : please specify

[reshmee011]

@danielcecil : Have you tested the command by supplying the site ID directly? Also, does it behave correctly when run as a site collection administrator? It won't do the additional call to get Site ID, hence curious.

[gautamdsheth]

hey @danielcecil , if you do $site = Get-PnPSite -Includes Id,Url , it returns a site object that you can use for that site.

Then it should be Grant-PnPEntraIDAppSitePermission -Site $site in the cmdlet.
It wont use the Graph endpoint to fetch Id.

[reshmee011]

The endpoint to grant the permissions requires SharePoint Administrator. See the note from the link https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http
"Note: In delegated workflows, the user must have an administrator role, such as SharePoint Administrator or higher."

[danielcecil]

Hey folks, yeah I'm trying to do it without having Site Collection Administrator rights since the command that does the work requires SharePoint Admin according to Microsoft docs.

Running 'Get-PnPSite' requires the user to have rights on the site itself whereas 'Get-PnPTenantSite' also returns the SiteId

[reshmee011]

@danielcecil : After reviewing the code, I noticed that Grant-PnPAzureADAppSitePermissions relies exclusively on Graph endpoints, whereas Get-PnPTenantSite is based on CSOM. Mixing CSOM and Graph within the same code path isn’t ideal. I’d suggest trying the workaround that was recommended earlier to see if it resolves the issue.

[danielcecil]

Yeah I agree - the workaround doesn't fit my use-case. As a tenant administrator I want to grant Sites.Selected permissions to sites without granting my admin/user account access to organisational data.

I'll give it a go using a combo of Get-PnPTenantSite and Invoke-PnPGraphMethod

[reshmee011]

Thanks @danielcecil , Unless you find some Graph Endpoints which allow to get the Site ID as site administrator, we may further look into it. Hope the combo of Get-PnPTenantSite and Invoke-PnPGraphMethod works.

[danielcecil]

Thanks @reshmee011 . Looking at the code for this command it always gets the SiteId from Graph - if a valid object with the Id already defined is passed as a SitePipeBand object then the command should skip that step.

I'll look at testing a change and PR in the New Year 👍

[floojah]

I've been trying myself. Even if we provide the SiteId, it Fails, although with a different error:

VERBOSE: Cmdlet execution started for grant-PnPAzureADAppSitePermission -Site <SiteId> -Connection $DevAdminConnection -Permissions Read -AppId <AppId> -DisplayName "PnP - Sites.Selected" -Verbose VERBOSE: Using Microsoft Graph to lookup the site Id of the passed in site using -Site VERBOSE: Site passed in using -Site resolved to Id <SiteId>

I think Microsoft's documentation is incorrect. I suspect the Level of access required to grant access with Delegated Permissions is "Site Admin" not "SharePoint Administrator".

When I have Site Admin, this works fine.