Minimal permissions needed to upload a file

[Rcarr1]

Discussed in #4418

^{Originally posted by Rcarr1 October 11, 2024}
We are using PnP.Powershell to place a document on Sharepoint every 10 minutes via automation and service account. We've registered the app with Azure per instructions. We granted the service account permissions (both Admin and owner) on the site. We've granted the App Sites.Selected to Sharepoint and gave it AllSites.FullControl briefly while we attempted to grant permissions to the site we need via this command: "grant-PnPAzureADAppSitePermission -AppId "ApplicationID" -DisplayName "PnP Management Shell" -Permissions Write -Site "https://tenant.sharepoint.com/sites/site""

This was unsuccessful and resulted in an error message stating we need further permissions from the Global Admin. What specific permissions do we need to grant to get this to function? We're using v2.12.0. We fully intend to revoke the AllSites.FullControl for security reasons and want to grant it the minimal permissions needed to function on this site only.

Can someone please advise on what permissions are needed for this?

[KoenZomers]

Can you be more specific? What are you refering to by "this was unsuccesful"? The setting permissions part or the uploading part? Can you share the script you're using?

Generally, if you just want to be able to upload a file to one document library, for now, the minimal priviledges you need on your app-only appreg is Sites.Selected. Give it Write permissions to that site. Soon Microsoft will introduce further fine-grained permissions to nail it down to the individual document library. That's not possible yet.

To set the Sites.Selected permission needs to be set using https://pnp.github.io/powershell/cmdlets/Grant-PnPAzureADAppSitePermission.html and using a different appreg which has Sites.FullControl.All permissions. as the documentation states. This is a one time operation.

[Rcarr1]

Apologies. Setting the permissions was unsuccessful. After using connect-PnPOnline -url "https://tenant.sharepoint.com/sites/site" -interactive -clientid AppID, it required the Global Admin sign in and grant X permission. I'm not sure what that permission is as even in verbose mode it didn't state what it was. We'd like to know what to grant or what we need to do to allow. The permission Sites.FullControl.AllPermissions isn't likely to be approved by our admins. The two lines it did output were:
VERBOSE: Using Microsoft Graph to lookup the site Id of the passed in site using -Site.
VERBOSE: Acquiring oAuth token for permission scope Sites.FullControl.All.

At that time, it had Microsoft.Graph(User.Read) and Sharepoint(AllSites.FullControl) Type: Delegated and (Sites.Selected) Type:Application.

The script is simple and was working prior to Sept 9th. It uses Connect-PnPOnline to the URL and credentials and then Add-PnPFile -Path $file -Folder $folder.

[KoenZomers]

Gotcha. In that case your only option is to use an app only context. PnP PowerShell uses CSOM behind the Add-PnPFile cmdlet. CSOM requires SharePoint permissions. SharePoint doesn't have a delegated Sites.Selected, Graph does. So your safest option would be to create an appreg with just Sites.Selected on the application scope of SharePoint:

Assign a certificate to your appreg:

Ensure you've got http://localhost added as Mobile and desktop applications redirect URI:

And ensure you've'got Allow public client flows set to Yes:

Use an account with Sites.FullControl.All on Delegate to connect interactively to your tenant and assign the permissions for Sites.Selected using:
grant-pnpazureadAppSitePermission -AppId yourappid -DisplayName "Some name" -Permissions Write

You can then connect using:
connect-pnponline tenant.sharepoint.com/sites/somesitecol -clientid yourclientid -tenant tenant.onmicrosoft.com -CertificatePath pathtoyourpfx

And upload a file using:
Add-PnPFile -Path C:\temp\abc.xml -Folder "Shared Documents"

That's the safest and quickest path to victory for your scenario.

[danfoxley]

This was helpful for me to confirm I was on the right track for doing similar. Below worked for me and I was able to register an app and read/write to a Document Library.

Register:

Register-PnPEntraIDApp -ApplicationName "MyPnP" -Tenant [tenant].onmicrosoft.com -OutPath "C:\LocalPath" -Interactive

Connect:

Connect-PnPOnline -Url "https://[tenant].sharepoint.com/sites/mysite" `
    -ClientId "[CLIENTID]" `
    -Tenant "[tenant].onmicrosoft.com" `
    -CertificatePath "C:\LocalPath\MyPnP.pfx"

Notes:

1. I wasn't familiar with different ways to Authenticate -DeviceLogin , -Interactive -OSLogin. In my case, I don't run (-DeviceLogin) as Entra Gobal Admin, so the suggested example of -DeviceLogin needed to be replaced with -Interactive (and running latest version of PnPPowershell). -Interactive allowed me to complete Register-PnPEntraIDApp as Global Admin user.
2. Seems -Interactive set all as @KoenZomers shows in above screenshots, when completing with Global Admin.

@KoenZomers this tripped me up, where setting up of App Only Access was suggesting -DeviceLogin. -Interactive then using Global Admin made this more streamlined to register an app.

[Rcarr1]

Understood. We'll try that and get back. Thanks for the quick responses.