Hi,
I am writing an application that has the following features create/modify/delete sites, (un)assign user permissions, upload and deploy webparts, allow sharing sites/documents with externals (guests).

This is all tested and possible with my application but my applications is using "Sharepoint Admin" permissions to accomplish this. This is way to much and I am in search of permissions/roles that are within the above mentioned scope.

I have looked into providing "site collection admin" but a site collection setup does not provide enough flexibility in assigning permissions to users to the sites and also it is only for predefined, pre-created sites while my application needs to be able to create several different sites.

So far this is the main goal.

Having sad that second goal is to add boundaries to this permission so that it will not have permission outside certain sites. The URL of these sites will be predefined and before they are created.

I have tried to accomplish this with:

• AAD user with Sharepoint permissions but could not find anything better then "Sharepoint admin". Which has as mentioned before to much permissions.
• Sharepoint Add-in but could not find anyway of setting the permissions to the above mentioned permission scope.
• Azure App registration with ClientSecret or certificate but this way the allowed permissions by Azure are inadequate.

The limitations of this last point is described in the following article,

https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly

I hope that someone can help me find the correct way of accomplish this, as I am certain I have overlooked something.