Granting an Entra App (Service Principal) access to a SharePoint Site using Graph Explorer

By /

This process can be used if you need to run an unattended script or application (for example, a PowerShell script or other custom program) that interacts with SharePoint Online, such as copying files into a document library. Instead of using a user or service account, the script runs under the context of an Entra ID application (service principal) authenticated via its client secret. This approach follows least-privilege and can be suitable for automation scenarios.

Note: This assumes that the Entra application is already configured with the appropriate Microsoft Graph application permissions. Application permission configuration and admin consent are out of scope for this document.

At a high level, you will:

  1. Create and configure an Entra Enterprise Application and Entra App Registration
  2. Identify the application’s Application (Client) ID and Display Name
  3. Retrieve the SharePoint Site ID using Microsoft Graph Explorer
  4. Grant the Entra application access to the SharePoint site using a Graph API call

Let’s get into it!

1. Set up the Entra ID Application

Ensure that the following already exist:

  • An App Registration in Entra ID
  • A corresponding Enterprise Application (Service Principal)
  • Required Microsoft Graph application permissions granted via admin consent

2. Gather Application Details

From the App Registration, note the following

  • Application (Client) ID
  • Display Name of the Entra application

These values will be required when granting SharePoint site permissions in step 5.

3. Open Microsoft Graph Explorer

Navigate to: https://developer.microsoft.com/en-us/graph/graph-explorer

Authenticate using an account with sufficient privileges to assign SharePoint site permissions.

4. Retrieve the SharePoint Site ID

To grant access, you first need the Site ID of the SharePoint site.

Use the following GET request, replacing the tenant and site path as appropriate: 

GET https://graph.microsoft.com/v1.0/sites/contoso.sharepoint.com:/sites/my_site

The response will include the site ID in this format:

contoso.sharepoint.com,
000a00ab0-0a0a-0a0a-0a0a-a0a0a0aa0000,
0000cab0-00a0-00a0-000a-000a0abca0a00a

Copy the full Site ID value — it will be used in the next step.

5. Grant the Application Access to the SharePoint Site

With the Site ID collected, submit the following POST request to assign permissions.

Post URL – https://graph.microsoft.com/v1.0/sites/{site-id}/permissions

POST https://graph.microsoft.com/v1.0/sites/contoso.sharepoint.com,000a00ab0-0a0a-0a0a-0a0a-a0a0a0aa0000,
0000cab0-00a0-00a0-000a-000a0abca0a00a/permissions

Request Body

{
  "roles": ["write"],
  "grantedToIdentities": [
	{
  	"application": {
    	"id": "1bbb1b11-11bb-1111-bbb1-1111bb1bb11b",
    	"displayName": "Contoso SharePoint File Copy Automation"
  	}
	}
  ]
}
  • roles: specifies the level of access (e.g., read, write)
  • id: application (Client) ID of the Entra app
  • displayName: Friendly name of the application (for readability)

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top