Introduction
In our previous article, we discussed how to add ‘Azure AD App Only Authentication’ to SharePoint online sites using Certificate Based Authentication. The details about those concepts were discussed there. Please refer to the link below to read the article.
Some applications may require Site Collection Admin rights in order to perform some background operations. For example:
- Creating a new list and then creating new entries
- Creating new document library and uploading the files
Using the above PnP methods, which is Azure AD App-only authentication, there are only two permission levels we can provide using the Power Shell Application grant command. These are ‘Read’ or ‘Write’.
Grant-PnPAzureADAppSitePermission -AppId 'YOUR APP ID HERE' -DisplayName 'APP DISPLAY NAME HERE' -Site 'https://contosodev.sharepoint.com/sites/CBADemo1' -Permissions Write
Let's try to connect to one of the SharePoint online sites. It has ‘Write’ permissions for the Azure AD App using PnP PowerShell. Let's see if creating new list here will work or not.
Steps to connect to SharePoint online
Step 1 - Get the Azure AD App Details.
Get the App details and thumbprint details that were created using the command Register-AzureADPnPApp. The details can be retrieved by going to Azure AD Portal and looking for the App details under the “App Registrations”. In this case my app name is ‘SPSitesSelected”.
- Click on ‘Azure AD’ on home page. If you cannot find it, search for ‘Azure AD’ and select the Azure AD application tile.
- From the quick launch click on the ‘App Registrations’ and search for the app ‘SPSitesSelected’.
- In my case, the App ID is 0dac6fa0-5cd7-4937-9aa6-f6b4b48fec1f
- For getting the thumbprint, go to the ‘Clients & Secrets’ from the quick launch. Copy the ‘Thumbprint’ value. The Thumbprint is 45251E620EF82C54F6A1E9B3A94B2502932699DC.
Step 2 - Authenticate to SPO site
Authenticate to the SharePoint online site using the App credentials. To connect successfully, you will need to have the following parameters ready:
- Site URL
- App ID
- Certificate Thumbprint
Connect-PnPOnline -Url "https://contosodev.sharepoint.com/sites/CBADemo1" -ClientId "0dac6fa0-5cd7-4937-9aa6-f6b4b48fec1f" -Thumbprint "45251E620EF82C54F6A1E9B3A94B2502932699DC" -Tenant "contosodev.onmicrosoft.com"
Step 3 - Validate the Connection
Upon successful authentication, you will see the site information and the list information displayed.
Step 4 - Create a new list
New-PnPList -Title "Contoso AD App List" -Template GenericList
Now you can see that the Azure AD App does not have enough rights to create a new list.
Elevating Azure AD App to Site Collection Admin Rights
To grant Site Collection Admin rights for the app, in other words ‘Full Control’ permissions, the following steps are required:
- Get the Permission Id for the Azure AD App that has been granted access
- Grant the Permission Id the full control rights using the Global Admin Credentials
- Connect to the SPO site using the Azure AD App Details and validate the ‘Full Control’ rights.
Get the Permission Id for the Azure AD App that has been granted access
In this section, let's connect to PnP Power Shell module using Global Admin rights and get the Permission Id of the Azure Ad App.
For getting the permission Id run the below PS command:
$AzADAppPermissionId = Get-PnPAzureADAppSitePermission -AppIdentity "0dac6fa0-5cd7-4937-9aa6-f6b4b48fec1f" -Site "https://contosodev.sharepoint.com/sites/CBADemo1"
In this case, it gets the App Permission Id and stores in PS variable $AzADAppPermissionId.
Grant the Permission Id the full control rights using Global Admin Credentials
Run the below PS command to grant the ‘Full Control’ permissions to the Azure AD App.
Set-PnPAzureADAppSitePermission -Site "https://contosodev.sharepoint.com/sites/CBADemo1" -PermissionId ($AzADAppPermissionId).Id -Permissions FullControl
Connect to SPO site using the Azure AD App Details and validate the ‘Full Control’ rights.
For validation of the SCA rights, we will try creating the new list that we used in previous section.
Step 1
Connect to the site using the App credentials to the site.
Connect-PnPOnline -Url "https://contosodev.sharepoint.com/sites/CBADemo1" -ClientId "0dac6fa0-5cd7-4937-9aa6-f6b4b48fec1f" -Thumbprint "45251E620EF82C54F6A1E9B3A94B2502932699DC" -Tenant "contosodev.onmicrosoft.com"
Step 2
Now create the new list.
New-PnPList -Title "Contoso AD App Test List" -Template GenericList
Complete Script
#Connecting to SPO site with Global Admin Rights
Connect-PnPOnline -Url "https://contosodev-admin.sharepoint.com" -Interactive
#Grating the write permissions to Azure AD App using Global Admin Connection
Grant-PnPAzureADAppSitePermission -AppId "0dac6fa0-5cd7-4937-9aa6-f6b4b48fec1f" -Site "https://contosodev.sharepoint.com/sites/CBADemo1" -Permissions Write
#Disconnnecting the connection
Disconnect-PnPOnline
#Connecing to the SPO site with App Only Authentication
Connect-PnPOnline -Url "https://contosodev.sharepoint.com/sites/CBADemo1" -ClientId "0dac6fa0-5cd7-4937-9aa6-f6b4b48fec1f" -Thumbprint "45251E620EF82C54F6A1E9B3A94B2502932699DC" -Tenant "contosodev.onmicrosoft.com"
#Creating New list using PnP Powershell
New-PnPList -Title "Contoso AD App List" -Template GenericList
#Getting the permission ID of the Azure AD App
$AzADAppPermissionId = Get-PnPAzureADAppSitePermission -AppIdentity "0dac6fa0-5cd7-4937-9aa6-f6b4b48fec1f" -Site "https://contosodev.sharepoint.com/sites/CBADemo1"
#Grnting Full Control Rights to the Azure AD App to a specific site collection
Set-PnPAzureADAppSitePermission -Site "https://contosodev.sharepoint.com/sites/CBADemo1" -PermissionId ($AzADAppPermissionId).Id -Permissions FullControl
#Creating new List Entry
New-PnPList -Title "Contoso AD App Test List" -Template GenericList
Conclusion
In this article we have learned how to grant 'Full Control' rights to Azure AD App using the PnP Powershell module.
References