如何限制 SharePoint API 权限仅限于特定站点。

huangapple go评论68阅读模式
英文:

How to ristrict SharePoint API permission to a specific site

问题

如何将SharePoint API权限限制在特定站点上。我可以看到有一个名为Sites.Selected的权限,但没有选择站点的选项。我需要在代码级别选择它吗,还是可以从门户中选择它?

英文:

How to restrict the SharePoint API permission to a specific site. I can see there is a a permission called Sites.Selected but there is no option to select the site. Do I need to select it at the code level or can we select it from the portal?

答案1

得分: 1

我尝试在我的环境中复制相同的操作,并成功获得以下结果:

我创建了一个Azure AD应用程序并授予了API权限:

如何限制 SharePoint API 权限仅限于特定站点。

为了将SharePoint API权限限制为特定站点,我使用了以下PowerShell脚本:

$siteUrl = “https://xxx.sharepoint.com/sites/testruk”
$clientId = “应用客户端ID” 
$certThumbprint = “指纹” 
$tenant = “xxx.onmicrosoft.com”

Connect-PnPOnline -Url $siteUrl -Interactive
$writeperm = Grant-PnPAzureADAppSitePermission -Permissions “Write” -Site $siteUrl -AppId $clientId -DisplayName “PowerShell-SharepointOnline”
$PermissionId = Get-PnPAzureADAppSitePermission -AppIdentity $clientId
Set-PnPAzureADAppSitePermission -Site $siteurl -PermissionId $(($PermissionId).Id) -Permissions “FullControl”

如何限制 SharePoint API 权限仅限于特定站点。

现在,我尝试连接到SharePoint站点,成功访问如下

Connect-PnPOnline -Url $siteUrl -ClientId $clientId -Thumbprint $certThumbprint -Tenant $tenant
Get-PnPList

如何限制 SharePoint API 权限仅限于特定站点。

当我尝试访问另一个SharePoint站点时,出现错误如下:

Connect-PnPOnline -Url $siteUrl -ClientId $clientId -Thumbprint $certThumbprint -Tenant $tenant
Get-PnPList

如何限制 SharePoint API 权限仅限于特定站点。

您还可以使用以下Graph API查询

POST https://graph.microsoft.com/v1.0/sites/{siteId}/permissions

Content-Type: application/json
{

  "roles": ["write"],

  "grantedToIdentities": [{

    "application": {

      "id": "应用ID",

      "displayName": "应用名称"

    }

  }]

}

参考链接:

在特定SharePoint站点上控制应用程序访问 - Microsoft Graph

英文:

I tried to reproduce the same in my environment and got the results successfully like below:

I created an Azure AD Application and granted API permissions:

如何限制 SharePoint API 权限仅限于特定站点。

To restrict the SharePoint API permission to a specific site, I used the below PowerShell script:

$siteUrl = “https://xxx.sharepoint.com/sites/testruk”
$clientId = “AppClientID” 
$certThumbprint = “Thumbprint” 
$tenant = “xxx.onmicrosoft.com”

Connect-PnPOnline -Url $siteUrl -Interactive
$writeperm = Grant-PnPAzureADAppSitePermission -Permissions “Write” -Site $siteUrl -AppId $clientId -DisplayName “PowerShell-SharepointOnline”
$PermissionId = Get-PnPAzureADAppSitePermission -AppIdentity $clientId
Set-PnPAzureADAppSitePermission -Site $siteurl -PermissionId $(($PermissionId).Id) -Permissions “FullControl”

如何限制 SharePoint API 权限仅限于特定站点。

Now, I tried to connect to the SharePoint site and I am able to access it successfully like below:

Connect-PnPOnline -Url $siteUrl -ClientId $clientId -Thumbprint $certThumbprint -Tenant $tenant
Get-PnPList

如何限制 SharePoint API 权限仅限于特定站点。

When I tried to access another SharePoint site, I got the error like below:

Connect-PnPOnline -Url $siteUrl -ClientId $clientId -Thumbprint $certThumbprint -Tenant $tenant
Get-PnPList

如何限制 SharePoint API 权限仅限于特定站点。

You can also make use of Graph API query like below:

POST https://graph.microsoft.com/v1.0/sites/{siteId}/permissions

Content-Type: application/json
{

  "roles": ["write"],

  "grantedToIdentities": [{

    "application": {

      "id": "APPID",

      "displayName": "APPName"

    }

  }]

}

Reference:

Controlling app access on a specific SharePoint site - Microsoft Graph

答案2

得分: 0

Quite a new feature, the only way to actually "select" the sites for which the permissions apply is through a Microsoft Graph Rest API call.

You'll find a nice article here Devblog Microsoft and the official document Microsoft Graph Permissions.

I haven't use this API yet though, so I can't give you more detailed instructions.

1: Devblog Microsoft
2: Microsoft Graph Permissions

英文:

Quite a new feature, the only way to actually "select" the sites for which the permissions apply is through a Microsoft Graph Rest API call.

You'll find a nice article here Devblog Microsoft and the official document Microsoft Graph Permissions.

I haven't use this API yet though, so I can't give you more detailled instructions.

答案3

得分: 0

根据Set-PnPAzureADAppSitePermission的文档,显然需要拥有Sites.FullControl.All GraphAPI访问权限来执行Rukmini的说明,那么我是否遗漏了什么?如果是这样,可能不能解决完全访问整个租户的范围问题。

英文:

I read the documentation for Set-PnPAzureADAppSitePermission and apparently you need anyway Sites.FullControl.All GraphAPI access to do the instructions as per Rukmini, so am I missing something? Because if so, it might not solve the scope concern of having full access to the entire tenant.

huangapple
  • 本文由 发表于 2023年3月15日 17:46:36
  • 转载请务必保留本文链接:https://go.coder-hub.com/75742965.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定