System Status
  1. Help Center
  2. Add-on solutions
  3. Managed solutions

Granting Sites.Selected without Sites.FullControl Access

Avatar

In our Certificate Builder and Synchronizer solution, you will need to temporarily enable the delegated Sites.FullControl access so that these tools can grant Sites.Selected to the specified SharePoint sites. We highly recommend granting the delegated Sites.FullControl access (even temporarily) so that the tool can grant the Sites.Selected access for you which is much easier. 

 

If you do not want to create the permissions that way, below is a PowerShell script that can be run to grant the Zensai Enterprise Application (Zensai Automation Services) with the proper Sites.Selected access for a specified site.

The Certificate Builder requires Write permissions, while the Synchronizer requires Read permissions. Please update the script accordingly.

Prior to running the script, please update the $SiteUrls variable with the sites that you would like to grant access.

# Grant-SitesSelected-Read-Hardcoded.ps1
# ===============================================
# Grants Sites.Selected (READ) to a fixed Entra app for specified SharePoint sites
# Auth model: SharePoint Admin signs in interactively (user context)
# ===============================================

# --- HARD-CODED VALUES -----------------------------------------

# Target app (Zensai Automation Services)
$TargetAppId = "2c3ffbaa-247b-405d-8993-d8884b22b24c"

# Friendly name stored with the permission entry
$TargetAppDisplayName = "Zensai Automation Center (Sites.Selected)"

# List the site collection URLs you want to grant READ access to
# TODO: Replace these example URLs with your real sites
$SiteUrls = @(
  "https://contoso.sharepoint.com/sites/Marketing",
  "https://contoso.sharepoint.com/sites/Finance"
)

# --- END HARD-CODED VALUES ---------------------------------------------------

# Ensure PnP.PowerShell is available
if (-not (Get-Module -ListAvailable -Name PnP.PowerShell)) {
  Write-Host "PnP.PowerShell not found. Installing for current user..." -ForegroundColor Yellow
  Install-Module PnP.PowerShell -Scope CurrentUser -Force
}

Import-Module PnP.PowerShell

foreach ($siteUrl in $SiteUrls) {
  try {
    Write-Host "`nConnecting to $siteUrl ..." -ForegroundColor Cyan
    # Admin user login; this uses your delegated SharePoint Admin rights (not Graph Sites.FullControl.All)
    Connect-PnPOnline -Url $siteUrl -Interactive

    Write-Host "Granting READ to app $TargetAppId on $siteUrl ..." -ForegroundColor Cyan

    # Step 1: initial grant (Grant supports Read/Write directly)
    $grant = Grant-PnPAzureADAppSitePermission `
                -AppId $TargetAppId `
                -DisplayName $TargetAppDisplayName `
                -Site $siteUrl `
                -Permissions Read

    # Step 2: verify
    Write-Host "Verifying permission on $siteUrl ..." -ForegroundColor Cyan
    $perm = Get-PnPAzureADAppSitePermission -Site $siteUrl -AppIdentity $TargetAppId

    if ($perm) {
      Write-Host ("Verified: {0} (PermissionId: {1})" -f ($perm.Permissions -join ', '), $perm.Id) -ForegroundColor Green
    } else {
      Write-Warning "Grant executed, but verification returned no permissions."
    }
  }
  catch {
    Write-Error ("Failed on {0}: {1}" -f $siteUrl, $_.Exception.Message)
  }
}
Was this article helpful?
0 out of 0 found this helpful

Comments

Article is closed for comments.