In September 2024, we transitioned HelpDesk from a SharePoint Add-in to an Azure AD app, following the Microsoft’s announcement of SharePoint Add-In retirement in Microsoft 365. One of the major improvements is that this change eliminates the need to manually update the client secret, which means no more interruptions for HelpDesk due to client secret expiration.
However, this update requires Full Control permissions for all sites during the installation process. While HelpDesk only needs permissions for one site, current Microsoft APIs do not allow us to grant such permissions without first providing Full Control to all sites. For this reason, our installation wizard first requests Full Control permissions for all sites before configuring Azure AD app permissions just for the HelpDesk site.
Once the installation wizard is closed, all access tokens for the Full Control app are removed from memory, meaning that elevated access is only used during the update process and solely within the HelpDesk installation wizard. We do not use Full Control permissions for anything beyond granting Azure AD app permissions for the HelpDesk site being installed.
If you prefer not to grant Full Control access or if your organization’s policy does not allow that, you can manually grant Azure AD app permissions for your HelpDesk site using PowerShell or Graph API. These methods will only provide access to the specific SharePoint site where HelpDesk is installed. Plumsail HelpDesk will not have access to anything in your SharePoint tenant beyond this site. For more details on the permissions granted, please refer to this article.
Launch PowerShell on your desktop.
Hint
If you don’t have PowerShell installed, you can download it here. Make sure to install the PnP PowerShell module to be able to work with SharePoint.
2. Enter the following line of code to allow PowerShell to communicate with SharePoint:
Import-Module PnP.PowerShell
3. Connect to your SharePoint Online environment using the command provided below. Ensure you provide the Client ID of your own Entra ID Application Registration with the -ClientId
parameter.
Connect-PnPOnline [yourtenant].sharepoint.com -Interactive -ClientId <client id of your Entra ID Application Registration>
4. Use the following command to grant permissions to HelpDesk only on the specific SharePoint site, replacing <SiteURL> with the URL of your HelpDesk site. This command grants access only to the SharePoint site where HelpDesk is installed, as the code explicitly defines the site to grant permissions for.
Grant-PnPAzureADAppSitePermission -AppId c378bac6-4de8-4e60-a61e-0b44d436ba92 -DisplayName "Plumsal HelpDesk" -Site <SiteURL> -Permissions FullControl
Open Microsoft Graph Explorer.
2. Send the following HTTP request to grant permissions for HelpDesk, replacing <SiteId> with the GUID of your HelpDesk site. This HTTP request grants access only to the SharePoint site where HelpDesk is installed, as the request template explicitly defines the site to grant permissions for.
POST | https://graph.microsoft.com/v1.0/sites/<SiteId>/permissions
Body:
{
"roles": [
"fullcontrol"
],
"grantedToIdentities": [
{
"application": {
"id": "c378bac6-4de8-4e60-a61e-0b44d436ba92",
"displayName": "Plumsal HelpDesk"
}
}
]
}
Hint
You can get the site GUID for the created site using the following link: https://YourTenant.sharepoint.com/sites/YourSite/_api/site/id
3. Check if the permissions were successfully assigned using:
GET https://graph.microsoft.com/v1.0/sites/<SiteId>/permissions