SharePoint - Restrictive Permissions (App Registration)

This guide walks you through securely connecting SharePoint to Couchdrop using an application registered in Microsoft Entra, with access restricted to a specific site using the Sites.Selected permission.


Prerequisites

Steps

The process has three main steps that will be explained in detail.

  1. Configuring an Application in Entra

  2. Granting Site permissions to the Application in Microsoft Graph Explorer

  3. Connecting to SharePoint in Couchdrop using the configured Application


Configuring an Application in Entra

1. Register a New Application

  1. Navigate to App registrations+ New registration

  2. Enter a name (e.g., Couchdrop-SharePoint)

  3. Leave all other options as default, then click Register


2. Copy your new Client ID and Tenant ID

After registration, you will be taken to a settings page for your new app. Copy the following from the Overview tab:

  • Application (client) ID

  • Directory (tenant) ID


3. Create a Client Secret

  1. Go to Certificates & secrets

  2. Click + New client secret

  3. Provide a description (e.g., CouchdropSecret), select expiry, and click Add

  4. Copy the Value before leaving this screen (it won’t be shown again)


4. Assign API Permissions

A. Microsoft Graph API

  1. Navigate to API permissions+ Add a permission

  2. Select Microsoft GraphApplication permissions

  3. Find and check Sites.Selected

  4. Click Add permissions

B. SharePoint API

  1. Navigate to API permissions+ Add a permission

  2. Select SharePointApplication permissions

  3. Under Application permissions, check Sites.Selected

  4. Click Add permissions

C. Grant Consent

  • Click Grant admin consent for [Your Org]


Granting site permissions to App via Microsoft Graph Explorer

1. Retrieve the Site ID

To find the SharePoint site's ID, open the following URL in your browser and replace elements in brackets with your tenant and Site information.

https://<tenant>.sharepoint.com/sites/<siteName>/_api/site/id

Example:

https://couchdropdemo.sharepoint.com/sites/MySite/_api/site/id

This will return an XML object containing the Site ID:

<d:Id xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml" m:type="Edm.Guid">29cf2814-a045-4b48-8b1b-6bd01f57d632</d:Id>

2. Sign in to Graph Explorer

  1. Sign in with your Microsoft account

  2. Click the user icon (top-right) → Consent to permissions

  3. Scroll down and grant Sites.FullControl.All to your user


3. Send the Permission Grant Request

ENDPOINT

POST https://graph.microsoft.com/v1.0/sites/{site_id}/permissions

BODY

Replace:

  • {site_id} with the GUID you retrieved earlier

  • <APPLICATION_CLIENT_ID> with your app’s Client ID

  • <APPLICATION_DISPLAY_NAME> with your app name (e.g., Couchdrop-SharePoint)

{
  "roles": ["write"],
  "grantedToIdentities": [
    {
      "application": {
        "id": "<APPLICATION_CLIENT_ID>",
        "displayName": "<APPLICATION_DISPLAY_NAME>"
      }
    }
  ]
}

Click Run Query. A successful response will return 201 Created.


Connecting to SharePoint in Couchdrop using the configured Application

  1. Return to Couchdrop and choose to create a new SharePoint connector.

  2. Uncheck the option to use Delegated OAUTH Access to connect via Application Access.

  3. Complete the configuration using:

  • SharePoint Domain

  • Client ID

  • Directory (Tenant) ID

  • Client Secret

4. You must then “Choose a folder” and manually specify the SharePoint subfolder path. This ensures Couchdrop connects to the exact SharePoint site you granted access to via Sites.Selected.

Folder Path Syntax

/SharePointSite:/sites/<siteName>:/Documents/<optional-subfolder-path>

5. Click Test to verify that you have successfully assigned access. Select Add Integration to complete the process.

Last updated

Was this helpful?