# SharePoint - Restrictive Permissions (App Registration)

This guide walks you through securely connecting SharePoint to Couchdrop using an application registered in Microsoft Entra, with access restricted to a specific site using the `Sites.Selected` permission.

***

### Prerequisites

* Access to [Microsoft Entra Admin Center](https://entra.microsoft.com/)
* Admin rights to register apps and grant tenant-wide permissions
* Access to [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer)

#### Steps

The process has three main steps that will be explained in detail.

1. Configuring an Application in Entra
2. Granting Site permissions to the Application in Microsoft Graph Explorer
3. Connecting to SharePoint in Couchdrop using the configured Application

***

### Configuring an Application in Entra

#### 1. Register a New Application

1. Go to [**entra.microsoft.com**](https://entra.microsoft.com/)
2. Navigate to **App registrations** → **+ New registration**
3. Enter a name (e.g., `Couchdrop-SharePoint`)
4. Leave all other options as default, then click **Register**

***

#### 2. Copy your new Client ID and Tenant ID&#x20;

After registration, you will be taken to a settings page for your new app. Copy the following from the **Overview** tab:

* **Application (client) ID**
* **Directory (tenant) ID**

***

#### 3. Create a Client Secret

1. Go to **Certificates & secrets**
2. Click **+ New client secret**
3. Provide a description (e.g., `CouchdropSecret`), select expiry, and click **Add**
4. Copy the **Value** *before leaving this screen* **(it won’t be shown again)**

***

#### 4. Assign API Permissions

**Microsoft Graph API**

1. Navigate to **API permissions** → **+ Add a permission**
2. Select **Microsoft Graph** → **Application permissions**
3. Find and check `Sites.Selected`
4. Click **Add permissions**
5. Click the checkmark **Grant admin consent for \[Your Org]**

***

### Granting site permissions to App via Microsoft Graph Explorer

#### **1. Retrieve the Site ID**

To find the SharePoint site's ID, open the following URL in your browser and replace elements in brackets with your tenant and Site information.

```
https://<tenant>.sharepoint.com/sites/<siteName>/_api/site/id
```

Example:

```
https://couchdropdemo.sharepoint.com/sites/MySite/_api/site/id
```

This will return an XML object containing the Site ID:

```json
<d:Id xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml" m:type="Edm.Guid">29cf2814-a045-4b48-8b1b-6bd01f57d632</d:Id>
```

***

**2. Sign in to Graph Explorer**

1. Visit [**Graph Explorer**](https://developer.microsoft.com/en-us/graph/graph-explorer)
2. Sign in with your Microsoft account
3. Click the **user icon** (top-right) → **Consent to permissions**
4. Scroll down and **grant `Sites.FullControl.All`** to your user

***

**3. Send Permission Grant Request (for a specific site)**

**ENDPOINT**

```
POST https://graph.microsoft.com/v1.0/sites/{site_id}/permissions
```

**BODY**

**Replace:**

* `{site_id}` with the GUID you retrieved earlier
* `<APPLICATION_CLIENT_ID>` with your app’s Client ID
* `<APPLICATION_DISPLAY_NAME>` with your app name (e.g., `Couchdrop-SharePoint`)

```json
{
  "roles": ["write"],
  "grantedToIdentities": [
    {
      "application": {
        "id": "<APPLICATION_CLIENT_ID>",
        "displayName": "<APPLICATION_DISPLAY_NAME>"
      }
    }
  ]
}
```

Click **Run Query**. A successful response will return `201 Created`.

***

**4. Send Permission Grant Request (root site)**

**ENDPOINT**

```
POST https://graph.microsoft.com/v1.0/sites/root/permissions
```

**BODY**

**Replace:**

* `<APPLICATION_CLIENT_ID>` with your app’s Client ID
* `<APPLICATION_DISPLAY_NAME>` with your app name (e.g., `Couchdrop-SharePoint`)

```json
{
  "roles": ["write"],
  "grantedToIdentities": [
    {
      "application": {
        "id": "<APPLICATION_CLIENT_ID>",
        "displayName": "<APPLICATION_DISPLAY_NAME>"
      }
    }
  ]
}
```

Click **Run Query**. A successful response will return `201 Created`.

***

### Connecting to SharePoint in Couchdrop using the configured Application

1. Return to Couchdrop and choose to create a new SharePoint connector.&#x20;
2. Uncheck the option to use Delegated OAUTH Access to connect via Application Access.
3. Complete the configuration using:

* **SharePoint Domain**
* **Client ID**
* **Directory (Tenant) ID**
* **Client Secret**

\
4\. You must then **“Choose a folder”**  and **manually specify the SharePoint subfolder path**. This ensures Couchdrop connects to the exact SharePoint site you granted access to via `Sites.Selected`.

#### Folder Path Syntax

```plaintext
/sharepointsite:/sites/<siteName>:/Documents/<optional-subfolder-path>
```

\
5\. Click **Test** to verify that you have successfully assigned access. Select **Add Integration** to complete the process.&#x20;