Skip to main content

Sharepoint Sites.Selected Permissions

How to allow NextStage Sharepoint integration to only connect to specific sites

Josh Chua avatar
Written by Josh Chua
Updated over 3 weeks ago

NextStage supports integrating with the two Sharepoint permission scopes, Sites.ReadWriteAll and Sites.Selected. The Sites.Selected permission allows an external app (like NextStage) to access only specific SharePoint sites, rather than all sites in the tenant.

  1. Enforce Sites.Selected in your workspace

  2. Enable allow NextStage to connect to sites

Using Sites.Selected creates overhead for IT Teams. Since there is no way to allow applications to create sites

Prerequisites

You’ll need:

  1. NextStage account with the Admin role: to enforce the Sites.Selected permission model in

  2. Azure AD App Registration Owner – to create and configure the external app in Azure.

  3. Global Administrator / Privileged Role Admin – to consent to the application permissions.

  4. SharePoint Administrator / Site Collection Administrator – to grant site-level permissions to the app once it has Sites.Selected.

Step 1: Enforce Sites.Selected in your Workspace

  • Log in to the NextStage and navigate to the admin integrations page

  • Click "Microsoft Sharepoint" and select "Access selected sites only"

Step 2: Register the NextStage Application in Azure

  • Go to Pipeline and select any opportunity. If one has not been created, we recommend creating a dummy opportunity.

  • Inside the opportunity, click on the "Documents" tab, and you should see a button to enable the SharePoint integration. Click on it to register the application.

  • At this point, you will need an Azure Owner to enable the application.

    • If you have previously registered the application with the ReadWriteAll scope, we recommend deleting the registration before doing this.

  • Verify the application is requesting the Sites.Selected scope and complete the registration

Step 3: Give the NextStage Azure App access to specific sites

SharePoint does not provide a way in its UI to give applications access to sites, so this has to be done through Microsoft Powershell or the Graph API. This must be completed for each site you want to make available to NextStage

PowerShell Example:

Grant-PnPAzureADAppSitePermission `
  -AppId "<app-client-id>" `
  -DisplayName "<app-name>" `
  -Site "https://<tenant>.sharepoint.com/sites/<siteName>" `
  -Permissions Write

You can also set the permissions to "Read"

Graph API Example:

POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions
Content-Type: application/json
Authorization: Bearer <accessToken>

{
  "roles": ["write"],  // or ["read"]
  "grantedToIdentitiesV2": [
    {
      "application": {
        "id": "<app-client-id>",
        "displayName": "<app-name>"
      }
    }
  ]
}

For the Graph API make sure you authenticate using credentials that has the permissions to grant the NextStage application access to the Sharepoint site. If none exists, we recommend creating a short-lived admin application.

Step 4: Add the site to NextStage

In Admin > Intergations, navigate to the Sharepoint configurations and add all the Site IDs that should be available to the user.

Did this answer your question?