Granting Azure Resources Access to SharePoint Online Sites Using Managed Identity

When integrating Azure resources like Logic Apps, Function Apps, or Azure VMs with SharePoint Online, you often need secure and granular access control. Rather than handling credentials manually, Managed Identity is the recommended approach to securely authenticate to Microsoft Graph and access SharePoint resources.

High-level steps:

Step 1: Enable Managed Identity (or App Registration)

Step 2: Grant Sites.Selected Permission in Microsoft Entra ID

Step 3: Assign SharePoint Site-Level Permission

Step 1: Enable Managed Identity (or App Registration)

For your Azure resource (e.g., Logic App):

1. Navigate to the Azure portal.
2. Go to the resource (e.g., Logic App).
3. Under Identity, enable System-assigned Managed Identity.
4. Note the Object ID and Client ID (you’ll need the Client ID later).

Alternatively, use an App Registration if you prefer a multi-tenant or reusable identity. How to register an app in Microsoft Entra ID - Microsoft identity platform | Microsoft Learn

Step 2: Grant Sites.Selected Permission in Microsoft Entra

1. Open Microsoft Entra ID > App registrations.
2. Select your Logic App’s managed identity or app registration.
3. Under API permissions, click Add a permission > Microsoft Graph.
4. Select Application permissions and add:
   • Sites.Selected
5. Click Grant admin consent.

Note: Sites.Selected ensures least-privilege access — you must explicitly allow site-level access later.

Step 3: Assign SharePoint Site-Level Permission

SharePoint Online requires site-level consent for apps with Sites.Selected. Use the script below to assign access.

Note: You must be a SharePoint Administrator and have the Sites.FullControl.All permission when running this.

PowerShell Script:

# Replace with your values
$application = @{
    id = "{ApplicationID}"   # Client ID of the Managed Identity
    displayName = "{DisplayName}"    # Display name (optional but recommended)
}

$appRole = "write"                      # Can be "read" or "write"
$spoTenant = "contoso.sharepoint.com"    # Sharepoint site host
$spoSite = "{Sitename}"            # Sharepoint site name

# Site ID format for Graph API
$spoSiteId = $spoTenant + ":/sites/" + $spoSite + ":"

# Load Microsoft Graph module
Import-Module Microsoft.Graph.Sites

# Connect with appropriate permissions
Connect-MgGraph -Scope Sites.FullControl.All

# Grant site-level permission
New-MgSitePermission -SiteId $spoSiteId -Roles $appRole -GrantedToIdentities @{ Application = $application }

That's it, 

• Your Logic App or Azure resource can now call Microsoft Graph APIs to interact with that specific SharePoint site (e.g., list files, upload documents).
• You maintain centralized control and least-privilege access, complying with enterprise security standards.

By following this approach, you ensure secure, auditable, and scalable access from Azure services to SharePoint Online — no secrets, no user credentials, just managed identity done right.