[BUG] Grant-PnPAzureADAppSitePermission not respecting delegated AllSites.FullControl Graph permissions

[brandus22]

Notice

Many bugs reported are actually related to the PnP Framework which is used behind the scenes. Consider carefully where to report an issue:

1. Are you using Invoke-PnPSiteTemplate or Get-PnPSiteTemplate? The issue is most likely related to the Provisioning Engine. The Provisioning engine is not located in the PowerShell repo. Please report the issue here: https://github.com/pnp/pnpframework/issues.
2. Is the issue related to the cmdlet itself, its parameters, the syntax, or do you suspect it is the code of the cmdlet that is causing the issue? Then please continue reporting the issue in this repo.
3. If you think that the functionality might be related to the underlying libraries that the cmdlet is calling (We realize that might be difficult to determine), please first double check the code of the cmdlet, which can be found here: https://github.com/pnp/powershell/tree/master/src/Commands. If related to the cmdlet, continue reporting the issue here, otherwise report the issue at https://github.com/pnp/pnpframework/issues

Reporting an Issue or Missing Feature

When attempting to assign Sites.Selected permissions to a site using PnP and the new app registration, it throws an unauthorized error. If I run the command while elevated with App Admin role, it wants to update the app registration with Sites.FullControl.All, instead of respecting/using the documented configuration of delegated AllSites.FullControl.

Expected behavior

For the Sites.Selected applying process to function with the delegated permissions assigned in the new PnP app registration.

Actual behavior

The command as documented and in behavior wants to use Sites.FullControl.All Graph permissions and will error out when using the new PnP app registration with delegation.

Steps to reproduce behavior

Use the new PnP app registration with delegated AllSites.FullControl permissions.
Grant-PnPAzureADAppSitePermission -AppID XXXXXXX -DisplayName "TestName" -Permissions Read -Site https://blah.sharepoint.com/teams/site

What is the version of the Cmdlet module you are running?

2.12.0

Which operating system/environment are you running PnP PowerShell on?

• Windows
• Linux
• MacOS
• Azure Cloud Shell
• Azure Functions
• Other : please specify

[KoenZomers]

The cmdlet https://pnp.github.io/powershell/cmdlets/Grant-PnPAzureADAppSitePermission.html uses Microsoft Graph behind the scenes. It sounds like you've used the SharePoint permission. If so, that won't fly. You need to give it the Graph permission instead:

[enigmanet]

I thought best practice should be, register the app with least amount of access, and register higher level at the individual site.

• If the app is using SharePoint REST or CSOM, the appropriate API permission is "SharePoint > Application > Sites.Selected."
• If the app is using Microsoft Graph, the permission should be "Microsoft Graph > Application > Sites.Selected."
• Ensuring the correct API permission is essential; otherwise, the access will not work as expected.

The Grant-PnPAzureADAppSitePermission is indeed the easiest way to assign permissions to the app for the desired SharePoint site. This ensures the app is granted the necessary access at the site level, in some cases you will want to give it -FullControl for the site. i.e. /sites/marketing.

You are also required a certificate since SharePoint CSOM or REST API with clientcredentials oauth flow only works with client id and certificate and will not work with clientid and secret, and that is something most have issue or miss on.