SharePoint - Restrictive Permissions (App Registration)

This guide walks you through securely connecting SharePoint to CounterOp using an application registered in Microsoft Entra, with access restricted to a specific site using Sites.Selected permissions.

Prerequisites

• Access to Microsoft Entra Admin Center

• Admin rights to register apps and grant tenant-wide permissions

• Access to Microsoft Graph Explorer

Setup

1. Register a New Application

1. Go to entra.microsoft.com

2. Navigate to App registrations → + New registration

3. Enter a name (e.g., CouchDrop-SharePoint)

4. Leave all other options as default, then click Register

2. Copy your new Client ID and Tenant ID

After registration, copy the following from the Overview tab:

• Application (client) ID

• Directory (tenant) ID

3. Create a Client Secret

1. Go to Certificates & secrets

2. Click + New client secret

3. Provide a description (e.g., CouchDropSecret), select expiry, and click Add

4. Copy the Value immediately (it won’t be shown again)

4. Assign API Permissions

A. Microsoft Graph API

1. Navigate to API permissions → + Add a permission

2. Select Microsoft Graph → Application permissions

3. Find and check Sites.Selected

4. Click Add permissions

B. SharePoint API

1. Navigate to API permissions → + Add a permission

2. Select SharePoint → Application permissions

3. Under Application permissions, check Sites.Selected

4. Click Add permissions

C. Grant Consent

• Click Grant admin consent for [Your Org]

5. Grant site permissions to App via Microsoft Graph Explorer

Retrieve the Site ID

To find the SharePoint site's ID, open the following URL in your browser.

https://<tenant>.sharepoint.com/sites/<siteName>/_api/site/id

Example:

https://couchdropdemo.sharepoint.com/sites/MySite/_api/site/id

This will return a XML object containing the site ID:

<d:Id xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml" m:type="Edm.Guid">29cf2814-a045-4b48-8b1b-6bd01f57d632</d:Id>

B. Sign in to Graph Explorer

1. Visit Graph Explorer

2. Sign in with your Microsoft account

3. Click the user icon (top-right) → Consent to permissions

4. Scroll down and grant Sites.FullControl.All to your user

C. Send the Permission Grant Request

Endpoint:

POST https://graph.microsoft.com/v1.0/sites/{site_id}/permissions

Body:

{
  "roles": ["write"],
  "grantedToIdentities": [
    {
      "application": {
        "id": "<APPLICATION_CLIENT_ID>",
        "displayName": "<APPLICATION_DISPLAY_NAME>"
      }
    }
  ]
}

Replace:

• {site_id} with the GUID you retrieved earlier

• <APPLICATION_CLIENT_ID> with your app’s Client ID

• <APPLICATION_DISPLAY_NAME> with your app name (e.g., CouchDrop-SharePoint)

Click Run Query. A successful response will return 201 Created.

6. Finalize Setup in CouchDrop

Return to CouchDrop and complete the SharePoint connector configuration using:

• SharePoint Domain

• Client ID

• Directory (Tenant) ID

• Client Secret

You must then “Choose a folder” and manually specify the SharePoint subfolder path. This ensures CouchDrop connects to the exact SharePoint site you granted access to via Sites.Selected.

Folder Path Syntax

/SharePointSite:/sites/<siteName>:/Documents/<optional-subfolder-path>

Click Test to verify that you have successfully assigned access. Click Save and Test to complete the process.