Summary
Earlier, I posted an article regarding the “Sites.Selected” MS Graph permission to create the granular permissions for sites. The following is the link for the article.
How does the MS Graph “Sites.Selected” permission work for granular permissions for SPO sites?
This is all great that granting and revoking “granular” permission for reading or writing for the site can be controlled by the Admins. However, there are some gaps such as how the governance can be maintained. It is the Admin’s additional task to execute the scripts and to maintain the list of the Azure AD applications, sites, and permissions. Additionally, based on the tenant size and to execute the users’ requests to get access to sites can be Admins nightmare.
This article will address the above weaknesses by giving you steps to design and develop a tool to maintain the users’ requests. Also will guide you to automate the granting and revoking sites permissions.
I named the tool Sites Selected Request Tracker (SSRT)
Prerequisites
The following resources are required for the tool.
- Pnp.PowerShell – The PnP.PowerShell is used in the Azure Function to maintain the tracker list.
- Two SharePoint Lists – The SharePoint lists are required to track the list of Azure AD application IDs and the users’ permission requests.
- Azure Logic Apps – The Azure Logic Apps is required to trigger a flow on the request tracker list’s create or modify. Based on the grating or revoking trigger change it will also make a call to Azure Function.
- Azure Function – The Azure Function is required to execute the Grant and Revoke using the PnP.PowerShell. This is the real engine that will automate the task.
- Azure Key Vault – The Aure Key Vault is needed to store the Certificates for the Azure AD app. Please read the previous article for more information.
Architecture Diagram
The logical architecture diagram for the SSRT tool.
SharePoint List One – CustomerAppIDs Columns
This first list will have the list of all Azure AD apps (consented “Sites.Selected” permission). You can use the client secret or certificate. It is recommended to use the certificate for each Azure AD app.
| Internal Name | Display Name | Column Type |
| Title | App ID GUID | Single line of text |
| AppName | App Display Name | Single line of text |
SharePoint List Two – SitesSelectedTracker Columns
This is the second list which keeps the track of the all the requests for sites. After adding the Azure AD app information in the first list, the Admins will add the sites for a specific Azure AD application with the Read or Write selection. Whenever the Admins makes change the item to Revoke the Logic App will revoke and delete the item from the tracker list.
| Internal Name | Display Name | Column Type | Description | |
| 1 | Title | Site URL | Single line of text | To store url needs perms |
| 2 | ApplicationID | ApplicationID | Lookup | Reference to app id and AppName columns from the above list. |
| 3 | ReadWrite | Read Or Write | Choice | Read or Write Choice. Default as Read. |
| 4 | GrantRevoke | Grant Or Revoke | Choice | Grant or Revoke choice. Default as Grant |
| 5 | ReadWriteCopy | ReadWriteCopy | Single line of text | Used internally for the flow. Hidden from the user. Default is None |
| 6 | GrantRevokeCopy | GrantRevokeCopy | Single line of text | Used internally for the flow. Hidden from the user. Defaultis Grant. |
| 7 | RecordEngineSteps | RecordEngineSteps | Enhanced rich text | Used internally for the flow. Hidden from the user to enter. Engine uses to add steps description. |
“ProcessReadWrite” Azure Logic Apps
- The Logic Apps triggers on the item create or modified on the SitesSelectedTracker.
- Trigger conditions is
- To Check ReadWrite to ReadWriteCopy are not equal OR
- To Check GrantRevoke to GrantRevokeCopy are not equal.
- If the above condition is met then the Azure Logic App makes a call to the “SPOSiteSelected” Azure Function with the following parameters.
# The following request body is passed to the Azure Function.
{
"Action": "@{triggerBody()?['GrantRevoke']?['Value']}",
"ClientAppID": "@{triggerBody()?['ApplicationID']?['Value']}",
"DisplayName": "@{triggerBody()?['ApplicationID_x003a_AppName']?['Value']}",
"Permission": "@{triggerBody()?['ReadWrite']?['Value']}",
"SiteURL": "@{triggerBody()?['Title']}"
}
NOTE: To get to the code for the above Azure function, please click here.
“SPOSitesSelected” HTTPTriggered Azure Function
- Map all the request input variables.
- Based on the Grant or Revoke make a call to Grant-PnPAzureADAppSitePermission or Revoke-PnPAzureADAppSitePermission
NOTE: You can refer to my previous post to set up Azure Function and Certificate. How to setup certificate in MAG Azure Function App for PnP.PowerShell?
NOTE: To get to the code for the above Azure function, please click here.
Conclusion
As described Sites Selected Request Tracker (SSRT) tool, it addresses the governance and automation issues for the “Sites.Selected” permission.
There is a PnP Sample WebPart for something you may want to explore which may meet your need.
Sites Selected Admin client-side web part
https://github.com/pnp/sp-dev-fx-webparts/tree/main/samples/react-sites-selected-admin
Pankaj Surti's Blog 
Pingback: How does the MS Graph “Sites.Selected” permission work for granular permissions for SPO sites? | Pankaj Surti's Blog
This is the best presentation so far, perhaps the only one that works for Microsoft Graph “Sites.Selected” using PowerShell. I am able to use PowerShell for read or write. Do you know how to implement using Sites.Selected permission for Microsoft Graph to access SharePoint in a C#.net program? Thank you for sharing!