Granting Azure Resources Access to SharePoint Online Sites Using Managed Identity

For System Assigned Managed Identities, the Sites.Selected scope can be enabled using Microsoft Graph PowerShell, as it is currently not possible to assign this permission directly from the Enterprise Applications UI.

• Fetch the Client ID and Object ID of the managed identity from the Azure resource (Logic App, Function App, VM, etc.).
• Connect to Microsoft Graph with required permissions.
• Assign the Sites.Selected app role to the managed identity.

PowerShell script:

Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All","Application.Read.All"

$managedIdentityObjectId = "<ManagedIdentityObjectId>"

$graphSp = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'"

$sitesSelectedRole = $graphSp.AppRoles |
Where-Object {$_.Value -eq "Sites.Selected"}

$miSp = Get-MgServicePrincipal -Filter "id eq '$managedIdentityObjectId'"

New-MgServicePrincipalAppRoleAssignment `
   -ServicePrincipalId $miSp.Id `
   -PrincipalId $miSp.Id `
   -ResourceId $graphSp.Id `
   -AppRoleId $sitesSelectedRole.Id

After assigning the permission, you can grant SharePoint site-level access using:

New-MgSitePermission

This approach allows System Assigned Managed Identity to access SharePoint Online sites using Sites.Selected without requiring a separate App Registration.

Hope this helps others facing the same issue with managed identity and Sites.Selected assignment.