Microsoft Graph Permissions Guide for SharePoint Connectors

Overview

Migrating from the Legacy SharePoint Connector?

If you are migrating from an existing SharePoint connector that uses the old SharePoint API (sunset April 2, 2026), you may already have an app registration. In that case, skip to Step 2: Add Microsoft Graph API Permissions to grant the new Graph permissions to your existing app.

This guide covers two approaches for granting SharePoint access to your Canvas connector:

Approach	Best For	Complexity
Tenant-wide access	Simple setup when Canvas needs access to many sites or you want quick configuration	Easy — can be done entirely in the Azure portal
Selected site access	When you need to restrict the app to only specific SharePoint sites	Advanced — requires IT operations assistance with PowerShell or API calls

Recommendation: Start with tenant-wide access for simplicity. Only use selected site access if your security policy requires restricting the app to specific sites.

Prerequisites

Before you begin, ensure you have:

• An Azure AD / Entra ID account with Global Administrator privileges, or permission to grant admin consent for applications
• Access to the Microsoft Entra admin center
• Your SharePoint site information:
  • Host (e.g., yourcompany.sharepoint.com)
  • Site path (e.g., /sites/MySite)

Note

Additional prerequisites for selected site access (PowerShell or Graph API) are listed in that section below.

Step 1: Create the App Registration (if needed)

Skip this step

Skip this step if you already have an app registration for Canvas (e.g., from a previous SharePoint connector setup). Jump to Step 2.

1. Go to https://entra.microsoft.com (Microsoft Entra admin center).
2. Navigate to Applications → App registrations.
3. Click + New registration.
4. Enter a name such as ConnectMyApps SharePoint Connector.
5. Leave the Redirect URI blank (Canvas uses client credentials for app-only access).
6. Click Register.

Collect the Required Values

After registration, gather these values for Canvas:

Value	Where to Find It
Tenant ID	Overview page → "Directory (tenant) ID"
Client ID	Overview page → "Application (client) ID"
Client Secret	Certificates & secrets → New client secret → Copy the Value immediately (it won't be shown again)

Step 2: Add Microsoft Graph API Permissions (Tenant-Wide Access)

This is the standard approach that grants Canvas access to all SharePoint sites in your tenant.

1. In the Entra admin center, go to Applications → App registrations.
2. Select your Canvas application.
3. Click API permissions in the left menu.
4. Click Add a permission → Microsoft Graph → Application permissions.
5. Search for and select the appropriate permission:

Permission	Use Case
Sites.Read.All	Read-only access (Canvas only reads files)
Sites.ReadWrite.All	Read and write access (Canvas reads and writes files)

1. Click Add permissions.
2. Click Grant admin consent for [Your Tenant] and confirm.

Provide Credentials to Canvas

In Canvas, enter the following when setting up the SharePoint connector:

• Tenant ID
• Client ID
• Client Secret
• Host (e.g., yourcompany.sharepoint.com)
• Site path (e.g., /sites/MySite)

Test the connector to verify the connection works.

Selected Site Access (Advanced)

Use this approach only if you need to restrict Canvas to specific SharePoint sites rather than granting tenant-wide access.

Important

This section requires technical proficiency and will likely need IT operations assistance. The steps involve PowerShell scripting or direct API calls.

When to Use Selected Site Access

• Your security policy prohibits tenant-wide SharePoint access
• You have multiple site collections and Canvas should only access specific ones
• You need granular control over which sites the integration can reach

Step A: Add the Sites.Selected Permission

1. In the app registration → API permissions → Add a permission.
2. Select Microsoft Graph → Application permissions.
3. Search for and add Sites.Selected.
4. Click Grant admin consent for [Your Tenant].

Important

If you previously added Sites.Read.All or Sites.ReadWrite.All, remove them. The Sites.Selected permission is mutually exclusive with tenant-wide permissions.

At this point, the app has the capability to access specific sites, but has no actual site access yet. You must assign the app to specific sites using one of the methods below.

Step B: Assign the App to Specific Sites

Choose one of the following methods:

Method 1: PowerShell (Recommended)

Prerequisites for PowerShell method

• PowerShell 7.x or higher. Check your version:

  $PSVersionTable.PSVersion

• The PnP.PowerShell module installed:

  Install-Module PnP.PowerShell -Scope CurrentUser

• The person running PowerShell must be a SharePoint Administrator or Global Administrator

• Network access to login.microsoftonline.com, graph.microsoft.com, and *.sharepoint.com

Steps

1. Open PowerShell and connect to the target SharePoint site:

   Connect-PnPOnline -Url https://<your-tenant>.sharepoint.com/sites/<SitePath> -Interactive

2. Grant the app permission to the site:

   Grant-PnPAzureADAppSitePermission `
     -AppId <CLIENT-ID> `
     -DisplayName "<App Display Name>" `
     -Permissions Write

   Note

   The -AppId parameter requires the Client ID (also called Application ID) from your app registration — this is the same value you provided to Canvas.

   • Use -Permissions Read for read-only access
   • Use -Permissions Write for read and write access

3. Repeat for each site that Canvas needs to access.

Troubleshooting

Issue	Solution
Connect-PnPOnline not found	Install PnP.PowerShell module
No login popup appears	Check PowerShell version (must be 7.x+) or environment policies
401/403 Access Denied	Verify admin roles, Client ID, and site URL
Script execution errors	Run: Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned

Method 2: Graph API

Use this method if PowerShell is not available in your environment or you prefer programmatic automation.

Prerequisites for Graph API method

You need a separate admin application (not the Canvas app) with the following permissions to assign site access to other apps:

• Sites.FullControl.All
• Application.Read.All

Important

The credentials used for this method must be from a different app registration than the Canvas app you're configuring. The Canvas app cannot grant permissions to itself.

Step 1: Obtain an Access Token

Request an access token for your admin application using the OAuth 2.0 client credentials flow:

POST https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id=<ADMIN-APP-CLIENT-ID>
&client_secret=<ADMIN-APP-CLIENT-SECRET>
&scope=https://graph.microsoft.com/.default
&grant_type=client_credentials

The response will contain an access_token field. Use this token in the Authorization header for subsequent requests.

Step 2: Get the Site ID

GET https://graph.microsoft.com/v1.0/sites/<your-tenant>.sharepoint.com:/sites/<SitePath>
Authorization: Bearer <ACCESS-TOKEN>

Copy the id field from the response.

Step 3: Grant Permissions to the Canvas App

POST https://graph.microsoft.com/v1.0/sites/<SITE-ID>/permissions
Authorization: Bearer <ACCESS-TOKEN>
Content-Type: application/json

{
  "roles": ["write"],
  "grantedToIdentities": [
    {
      "application": {
        "id": "<CANVAS-APP-CLIENT-ID>"
      }
    }
  ]
}

Note

The id in the request body is the Client ID (Application ID) of your Canvas app — the same value you provided to Canvas.

• Use "roles": ["read"] for read-only access
• Use "roles": ["write"] for read and write access

Optional Permissions for Specific Scenarios

If your integration requires access to additional SharePoint or Microsoft 365 features, you may need these permissions:

Permission	Use Case
Files.Read.All	Access files across OneDrive and SharePoint (alternative to Sites permissions)
Files.ReadWrite.All	Read and write files across OneDrive and SharePoint
Sites.Manage.All	Create, edit, and delete lists and items (not just files)
Sites.FullControl.All	Full control including managing permissions (use with caution)
Lists.Read.All	Read SharePoint lists and list items
Lists.ReadWrite.All	Read and write SharePoint lists and list items

Note

Restricting access to specific folders within a site is not directly supported by Microsoft Graph permissions. Folder-level restrictions require custom application logic or SharePoint-level permission inheritance settings configured by a SharePoint administrator.

Security & Operational Best Practices

• Least privilege: Use Sites.Selected with explicit site grants when possible. Choose Read permissions when the integration only reads documents.
• Admin consent: An administrator must grant admin consent for all application-level permissions.
• Secret rotation: Rotate client secrets periodically and update the Canvas configuration accordingly.
• Audit regularly: Review which apps have tenant-wide permissions and scope down where possible.
• Document access: Keep a record of which sites have been granted access to the Canvas app.

Troubleshooting Checklist

Symptom	Possible Cause	Solution
Canvas cannot connect	Missing or incorrect credentials	Verify Tenant ID, Client ID, and Client Secret
Access denied errors	Admin consent not granted	Grant admin consent in API permissions
App can't access a site	Using Sites.Selected without site assignment	Assign the app to the site via PowerShell or Graph API
PowerShell login fails	Environment blocking interactive auth	Check firewall rules and browser popup settings

Getting Help

If you need assistance with:

• Granting admin consent: Contact your Azure AD / Global Administrator
• Assigning site permissions: Contact your IT Operations or SharePoint Administrator
• Canvas configuration: Contact ConnectMyApps support

When requesting help, provide:

• The app's Client ID
• The Site URL(s) Canvas needs to access
• Whether read-only or read-write access is required

---

Prepared for ConnectMyApps — Canvas support/helpdesk.