SharePoint - Restrictive Permissions (App Registration)
This guide walks you through securely connecting SharePoint to Couchdrop using an application registered in Microsoft Entra, with access restricted to a specific site using the Sites.Selected
permission.
Prerequisites
Access to Microsoft Entra Admin Center
Admin rights to register apps and grant tenant-wide permissions
Access to Microsoft Graph Explorer
Steps
The process has three main steps that will be explained in detail.
Configuring an Application in Entra
Granting Site permissions to the Application in Microsoft Graph Explorer
Connecting to SharePoint in Couchdrop using the configured Application
Configuring an Application in Entra
1. Register a New Application
Go to entra.microsoft.com
Navigate to App registrations → + New registration
Enter a name (e.g.,
Couchdrop-SharePoint
)Leave all other options as default, then click Register
2. Copy your new Client ID and Tenant ID
After registration, you will be taken to a settings page for your new app. Copy the following from the Overview tab:
Application (client) ID
Directory (tenant) ID
3. Create a Client Secret
Go to Certificates & secrets
Click + New client secret
Provide a description (e.g.,
CouchdropSecret
), select expiry, and click AddCopy the Value before leaving this screen (it won’t be shown again)
4. Assign API Permissions
A. Microsoft Graph API
Navigate to API permissions → + Add a permission
Select Microsoft Graph → Application permissions
Find and check
Sites.Selected
Click Add permissions
B. SharePoint API
Navigate to API permissions → + Add a permission
Select SharePoint → Application permissions
Under Application permissions, check
Sites.Selected
Click Add permissions
C. Grant Consent
Click Grant admin consent for [Your Org]
Granting site permissions to App via Microsoft Graph Explorer
1. Retrieve the Site ID
To find the SharePoint site's ID, open the following URL in your browser and replace elements in brackets with your tenant and Site information.
https://<tenant>.sharepoint.com/sites/<siteName>/_api/site/id
Example:
https://couchdropdemo.sharepoint.com/sites/MySite/_api/site/id
This will return an XML object containing the Site ID:
<d:Id xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml" m:type="Edm.Guid">29cf2814-a045-4b48-8b1b-6bd01f57d632</d:Id>
2. Sign in to Graph Explorer
Visit Graph Explorer
Sign in with your Microsoft account
Click the user icon (top-right) → Consent to permissions
Scroll down and grant
Sites.FullControl.All
to your user
3. Send the Permission Grant Request
ENDPOINT
POST https://graph.microsoft.com/v1.0/sites/{site_id}/permissions
BODY
Replace:
{site_id}
with the GUID you retrieved earlier<APPLICATION_CLIENT_ID>
with your app’s Client ID<APPLICATION_DISPLAY_NAME>
with your app name (e.g.,Couchdrop-SharePoint
)
{
"roles": ["write"],
"grantedToIdentities": [
{
"application": {
"id": "<APPLICATION_CLIENT_ID>",
"displayName": "<APPLICATION_DISPLAY_NAME>"
}
}
]
}
Click Run Query. A successful response will return 201 Created
.
Connecting to SharePoint in Couchdrop using the configured Application
Return to Couchdrop and choose to create a new SharePoint connector.
Uncheck the option to use Delegated OAUTH Access to connect via Application Access.
Complete the configuration using:
SharePoint Domain
Client ID
Directory (Tenant) ID
Client Secret
4. You must then “Choose a folder” and manually specify the SharePoint subfolder path. This ensures Couchdrop connects to the exact SharePoint site you granted access to via Sites.Selected
.
Folder Path Syntax
/SharePointSite:/sites/<siteName>:/Documents/<optional-subfolder-path>
5. Click Test to verify that you have successfully assigned access. Select Add Integration to complete the process.
Last updated
Was this helpful?