Post

SPN permission to AI agent

Posted
By Otto Gudszent
2 min read
SPN permission to AI agent

I summarized the corrected, error-free PowerShell command sequence based on the latest Microsoft Graph SDK (v2+) syntax. This process creates the application, assigns the Sites.Selected permission, and authorizes the app to edit a specific SharePoint site. I suffer a lot, but finally I could make it work. I hope this will save you time and frustration when setting up your AI agent with the necessary permissions to access SharePoint files.

Preparation

Before running the script, replace the following three values with the ones from your environment:

1
2
3

$appName = "SharePoint-File-Editor-App"  # Application name in Azure
$tenantName = "YOUR_TENANT_NAME"         # Example: contoso (the part before .sharepoint.com)
$siteUrl = "SITE_NAME"                   # Example: Marketing (the part after /sites/)

Full corrected command sequence

1. Sign in and create the application

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

# Sign in with the required administrative scopes
Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "Sites.FullControl.All"

# Register the application
$app = New-MgApplication -DisplayName $appName

# Create the service principal (enterprise application)
$sp = New-MgServicePrincipal -AppId $app.AppId

# Create the client secret with the corrected syntax
$passwordParams = @{
    PasswordCredential = @{
        DisplayName = "AuthSecret"
    }
}
$passwordCredential = Add-MgApplicationPassword -ApplicationId $app.Id -BodyParameter $passwordParams

Write-Host "--- SAVE THESE VALUES ---" -ForegroundColor Yellow
Write-Host "Application (Client) ID: $($app.AppId)"
Write-Host "Client Secret: $($passwordCredential.SecretText)"
Write-Host "------------------------"

2. Assign the Sites.Selected API permission

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

# Locate the Microsoft Graph API service principal
$graphSp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

# Identify the Sites.Selected role for application permissions
$sitesSelectedRole = $graphSp.AppRoles | Where-Object {
    $_.Value -eq "Sites.Selected" -and $_.AllowedMemberTypes -contains "Application"
}

# Assign the permission to the application
$appRoleAssignment = @{
    PrincipalId = $sp.Id
    ResourceId = $graphSp.Id
    AppRoleId = $sitesSelectedRole.Id
}

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id -BodyParameter $appRoleAssignment

3. Identify the SharePoint site and grant access

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# Retrieve the internal ID of the target SharePoint site
$site = Get-MgSite -SiteId "$tenantName.sharepoint.com:/sites/$siteUrl"
$targetSiteId = $site.Id

# Grant write access to the application on the specific site
$permissionParams = @{
    roles = @("write")
    grantedToIdentities = @(
        @{
            application = @{
                id = $app.AppId
                displayName = $appName
            }
        }
    )
}

New-MgSitePermission -SiteId $targetSiteId -BodyParameter $permissionParams

Write-Host "SUCCESS: The application can now edit files on the $siteUrl site."
Azure, SharePoint, Identity
Entra ID Microsoft Graph PowerShell Sites.Selected Service Principal
This post is licensed under CC BY 4.0 by the author.