Graph Lists and Sites Permission endpoint
I just found https://docs.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http in the microsoft docs: "Create a new https://docs.microsoft.com/en-us/graph/api/resources/permission?view=graph-rest-1.0 object on a site." But what does this mean? I tried the endpoint but it seems not to be possible to give people permissions in SharePoint Online through this endpoint. What is this supposed to do exactly: POST https://graph.microsoft.com/v1.0/sites/{sitesId}/permissions Content-Type: application/json { "roles": ["write"], "grantedToIdentities": [{ "application": { "id": "89ea5c94-7736-4e25-95ad-3fa95f62b66e", "displayName": "Contoso Time Manager App" } }] } How can "apps" have permissions in SharePoint? I always thought only SharePoint groups/users or Azure AD groups or users can have permissions in SharePoint. What does it mean if an "app" gets permission? And why is this only allowed on site level? Can't I give an app also permission to just a library or list item. Where is my misunderstanding here? And is it possible at all to give certain users SharePoint permissions for a single library through the Graph API?
Sharing and Guest accounts
I have noticed when sharing a folder or file in sharepoint that sometimes a guest account gets created in Azure AD. Is an account only created if you share with someone from outside your organisation that is also using a MS 365 Tenant ? I ask as if I share files with a gmail or ntlworld account they do not get created in AzureAD but I notice other domains do. Thanks for any clarification.