Sites.Selected permissions are needed for the non-interactive application to get access to a specific SharePoint site.

Steps to get access to SharePoint site with Sites.Selected:

1. Register an application in Azure (via Azure portal GUI, PowerShell script or helpdesk/servicedesk request)

2. Update the app so both – MS Graph API Sites.Selected and SharePoint Sites.Selected application API permissions are configured.

Provide or request tenant admin consent for your API permissions. So fillally your aap registration should look like:

3. Obtain and upload client certificate (recommended) or generate client secret

Notice your app client id and tenant id under Overview page:

At this moment, having tenant id, app (client) id and client secret – you should be able to authenticate against Microsoft 365 tenant with app-only authentication path.

But having Sites.Selected API permissions configured for app does not mean app has access to any SharePoint site. Access for the app to specific sites is provided by SharePoint team using PowerShell script or Graph API calls. That leads us to the next step.

4. Request access for the app to a specific SharePoint site (your SharePoint service admin should be able to do that via PowerShell script or Graph API calls )
Here is the Graph API

5. Validate your app has access to the target SharePoint site with PowerShell:
here is the code

6. Secure your certificate and/or secret

Consider using vault to keep certificate/secret. If you host your application in Azure – consider using managed identity.

ACS-based permissions are going to be deprecated soon:
Your SharePoint admin doesn’t allow site owners to create/update ACS principal ⋆ Vladilen Microsoft 365 engineer