FullControl Grant Path for Sites.Selected

Complete the common setup before continuing here. This runbook covers the remaining steps for the FullControl site grant path only.

Azure Portal – API permissions (Crawling Application)

In Azure Portal, navigate to your Crawling Application.
Under Manage, select API Permissions.
- There will always be Microsoft Graph, User.Read permissions. This is required and should remain in place.
Select Add a permission.
Under Microsoft APIs, select SharePoint.
Select Application permissions.
- This ensures user credentials aren't required for authentication and the context is not scoped to one user.
From the available permissions, select Sites.Selected.
Select Add permission.
You must grant admin consent for any permission applied.
- This allows silent authentication for APIs. Without this the application needs a user invoked authentication flow.
Select Grant admin consent for <organisation>.
Select Yes to confirm this selection.

Do not add Sites.Selected on Microsoft Graph for the Crawling Application on the FullControl path. SharePoint API Sites.Selected is sufficient.

Granting the Crawling Application on each site (Grant Site Permissions Application)

When using Sites.Selected you must grant access to the Crawling Application for each selected site.

You must do this on a per site basis.

Using PowerShell

Connect using PowerShell with the Grant Site Permissions Application (replace placeholders).

Connect-PnPOnline -ClientId "<Grant-Site-Permissions-Application-Client-ID>" -CertificatePath ".\grant-app.pfx" -CertificatePassword (ConvertTo-SecureString -AsPlainText "<pfx-password>" -Force) -Url "<base-site-collection or admin-centre-url>" -Tenant "<your-tenant>"

Grant access to the Crawling Application (replace placeholders).

Grant-PnPAzureADAppSitePermission -AppId "<Crawling-Application-Client-ID>" -DisplayName "SharePoint Crawling Application" -Permissions FullControl -Site "<the specific site to grant access>"

Control Hub – Source Configuration

This configuration corresponds to the Selected Sites - Full Control Access scenario in the API Permissions Quick Reference.

Within Control Hub select New Configuration.
- If you're applying this to an existing source, find the configuration and select edit.
On the Source tab, select SharePoint from the Source System dropdown.

Primary Connection (Crawling Application)

Client ID – Enter the Application (client) ID of the Crawling Application.
- You can find this in the Overview on the Azure Portal.
Directory (Tenant) ID – Enter the Directory (tenant) ID for the Crawling Application.
- You can find this in the Overview on the Azure Portal.
Select Credential – Select the certificate credential associated with the Crawling Application's .pfx file.

Secondary Connection

A secondary Graph connection is not required for the FullControl path. Do not enable Use Graph API for permissions or Use Graph API for site discovery unless you explicitly require Graph for other reasons.

The SharePoint Security plugin is also not required for the FullControl path.

Save

Select Save.

You are now ready to run a crawl using Sites.Selected with FullControl site grants.

Implementation note (validator behaviour)

When Use Graph API for permissions and Use Graph API for site discovery are both disabled (as on this path), no Graph connection settings or SharePoint Security configuration ID are required.

PreviousRead Grant Path for Sites.Selected NextMigrating ACS to Azure AD with Sites.FullControl.All

Last updated 7 hours ago

hashtagAzure Portal – API permissions (Crawling Application)

hashtagGranting the Crawling Application on each site (Grant Site Permissions Application)

hashtagUsing PowerShell

hashtagControl Hub – Source Configuration

hashtagPrimary Connection (Crawling Application)

hashtagSecondary Connection

hashtagSave

hashtagImplementation note (validator behaviour)