Blog Post

Azure Architecture Blog
2 MIN READ

Granting Azure Resources Access to SharePoint Online Sites Using Managed Identity

anammalu's avatar
anammalu
Icon for Microsoft rankMicrosoft
May 02, 2025

This blog walks you through the end-to-end process of granting a managed identity read/write access to a specific SharePoint Online site using Microsoft Graph and PowerShell.

When integrating Azure resources like Logic Apps, Function Apps, or Azure VMs with SharePoint Online, you often need secure and granular access control. Rather than handling credentials manually, Man...
Updated May 02, 2025
Version 1.0
application
apps & devops
integration
well architected
AntonSokolovskyi's avatar
AntonSokolovskyi
Copper Contributor
May 15, 2025

Managed identities are not available under Microsoft Entra ID > App registrations

  • naya's avatar
    naya
    Copper Contributor
    May 15, 2025

    I couldn't find system assigned managed identity in app registration. was able to assign msgraph sites.selected permission to it using Powershell. 

  • anammalu's avatar
    anammalu
    Icon for Microsoft rankMicrosoft
    May 15, 2025

    For Managed identities, go to Enterprise applications in Microsoft Entra ID> Permissions> Application Registration and add Sites.Selected scope.

    • gennadiibogopolskii's avatar
      gennadiibogopolskii
      Copper Contributor
      May 21, 2025

      It is not correct. It is impossible to add Sites.Selected scope via "Enterprise applications in Microsoft Entra ID> Permissions". You must use ps-script for this step.

      • craigblow's avatar
        craigblow
        Copper Contributor
        May 27, 2025

        Yes, This script will assign the permission if provided with the managed identity object id

        # Add sites.Selected permssion to managed identity

        # Define the Managed Identity client ID (App ID)
        $managedIdentityAppId = "<Managed Identity Object Id>"

        # Get the Microsoft Graph service principal
        $graphSp = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'"

        # Find the app role ID for 'Sites.FullControl.All'
        $sitesControlRole = $graphSp.AppRoles | Where-Object {
            $_.Value -eq "Sites.Selected" -and $_.AllowedMemberTypes -contains "Application"
        }

        if (-not $sitesControlRole) {
            Write-Error "Sites.Selected role not found in Microsoft Graph."
            exit
        }

        # Get the Managed Identity's service principal
        $miSp = Get-MgServicePrincipal -Filter "id eq '$managedIdentityAppId'"

        if (-not $miSp) {
            Write-Error "Managed Identity with AppId '$managedIdentityAppId' not found."
            exit
        }

        # Check if the permission already exists
        $existingAssignment = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $miSp.Id |
            Where-Object { $_.AppRoleId -eq $sitesControlRole.Id -and $_.ResourceId -eq $graphSp.Id }

        if ($existingAssignment) {
            Write-Host "'Sites.Selected' is already assigned to the Managed Identity."
        } else {
            # Create the app role assignment
            New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $miSp.Id -BodyParameter @{
                PrincipalId = $miSp.Id
                ResourceId  = $graphSp.Id
                AppRoleId   = $sitesControlRole.Id
            }

            Write-Host "Successfully assigned 'Sites.Selected' permission to the Managed Identity."