The solution is based on a new Graph API feature – Sites.Selected and a classic SP-Only app.
- Register an Azure App
- MS Graph API permissions: add -> Microsoft Graph -> Applications Permissions -> “sites.selected”
- Ask SharePoint/Tenant admin run PowerShell code (e.g. this one) to assign proper permissions to your azure app for a specific site collection (consider site owner consent)
- SharePoint API permissions:
Site Collection Owner/Admin – use
to add SharePoint API permissions to your app.
Consider minimal permissions (e.g. as per Sumit)
- you get access to one and only one site collection (“least privilege” principal)
- you get both – SharePoint API and Microsoft Graph API permissions to SharePoint
- you can use app secret or certificate to authenticate – depending on what are your security requirements
- Register an application with the Microsoft identity platform
- Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph
- Working with SharePoint sites in Microsoft Graph
- SharePoint Add-In — Permission XML cheat sheet
- Accessing SharePoint using an application context, also known as app-only