Skip to content

Add Get, Grant, Set and Revoke cmdlets for EntraID app file permissions #5295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fabianhutzli wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Add Get, Grant, Set and Revoke cmdlets for EntraID app file permissions #5295

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
193 changes: 193 additions & 0 deletions documentation/Get-PnPEntraIDAppFilePermission.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,193 @@
---
Module Name: PnP.PowerShell
schema: 2.0.0
applicable: SharePoint Online
online version: https://pnp.github.io/powershell/cmdlets/Get-PnPEntraIDAppFilePermission.html
external help file: PnP.PowerShell.dll-Help.xml
title: Get-PnPEntraIDAppFilePermission
---

# Get-PnPEntraIDAppFilePermission

## SYNOPSIS

**Required Permissions**

* Microsoft Graph API: Files.ReadWrite.All or Sites.ReadWrite.All

Returns Entra ID App permissions for a file in a document library.

## SYNTAX

### All Permissions
```powershell
Get-PnPEntraIDAppFilePermission -List <String> [-Path <String>] [-FileId <String>] [-Site <SitePipeBind>] [-Connection <PnPConnection>]
```

### By Permission Id
```powershell
Get-PnPEntraIDAppFilePermission -PermissionId <String> -List <String> [-Path <String>] [-FileId <String>] [-Site <SitePipeBind>] [-Connection <PnPConnection>]
```

### By App Display Name or App Id
```powershell
Get-PnPEntraIDAppFilePermission -AppIdentity <String> -List <String> [-Path <String>] [-FileId <String>] [-Site <SitePipeBind>] [-Connection <PnPConnection>]
```

## DESCRIPTION

This cmdlet returns app permissions for a file in a document library. It is used in conjunction with the Entra ID SharePoint application permission `Files.SelectedOperations.Selected`.

The file can be identified by either:
- `-Path`: the path to the file relative to the document library root (e.g. `Folder/SubFolder/file.docx`)
- `-FileId`: the Graph drive item ID of the file

Exactly one of `-Path` or `-FileId` must be specified.

## EXAMPLES

### EXAMPLE 1
```powershell
Get-PnPEntraIDAppFilePermission -List "Documents" -Path "Contracts/2024/Agreement.docx"
```

Returns all app permissions set on the file at the given path in the Documents library of the currently connected site.

### EXAMPLE 2
```powershell
Get-PnPEntraIDAppFilePermission -List "Documents" -Path "Report.xlsx" -Site https://contoso.sharepoint.com/sites/finance
```

Returns all app permissions set on the file at the root of the Documents library on the specified site.

### EXAMPLE 3
```powershell
Get-PnPEntraIDAppFilePermission -List "Documents" -FileId "01ABC123DEF456GHI789"
```

Returns all app permissions set on the file with the specified drive item ID.

### EXAMPLE 4
```powershell
Get-PnPEntraIDAppFilePermission -List "Documents" -Path "Report.xlsx" -PermissionId aTowaS50fG1zLnNwLmV4dHxlMzhjZmIzMS00
```

Returns the specific permission details for the given permission id on the file.

### EXAMPLE 5
```powershell
Get-PnPEntraIDAppFilePermission -List "Documents" -Path "Report.xlsx" -AppIdentity "My App"
```

Returns the specific permission details for the app with the provided display name on the file.

### EXAMPLE 6
```powershell
Get-PnPEntraIDAppFilePermission -List "Documents" -Path "Report.xlsx" -AppIdentity "89ea5c94-7736-4e25-95ad-3fa95f62b66e"
```

Returns the specific permission details for the app with the provided app id on the file.

## PARAMETERS

### -AppIdentity
Specify either the display name or the app id (client id) to filter the returned permissions to a specific app.

```yaml
Type: String
Parameter Sets: By App Display Name or App Id

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -Connection
Optional connection to be used by the cmdlet. Retrieve the value for this parameter by either specifying -ReturnConnection on Connect-PnPOnline or by executing Get-PnPConnection.

```yaml
Type: PnPConnection
Parameter Sets: (All)

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -FileId
The Graph drive item ID of the file. Use this as an alternative to `-Path` when you already know the drive item ID. Mutually exclusive with `-Path`.

```yaml
Type: String
Parameter Sets: (All)

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -List
The document library containing the file. Accepts a list GUID or display name.

```yaml
Type: String
Parameter Sets: (All)

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -Path
The path to the file relative to the document library root (e.g. `Folder/SubFolder/file.docx` or just `file.docx` for a file at the root). Mutually exclusive with `-FileId`.

```yaml
Type: String
Parameter Sets: (All)

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -PermissionId
If specified, the permission with that id will be retrieved.

```yaml
Type: String
Parameter Sets: By Permission Id

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -Site
Optional url of a site to retrieve the permissions for. Defaults to the currently connected site.

```yaml
Type: SitePipeBind
Parameter Sets: (All)

Required: False
Position: Named
Default value: Currently connected site
Accept pipeline input: False
Accept wildcard characters: False
```

## RELATED LINKS

[Microsoft 365 Patterns and Practices](https://aka.ms/m365pnp)
176 changes: 176 additions & 0 deletions documentation/Grant-PnPEntraIDAppFilePermission.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,176 @@
---
Module Name: PnP.PowerShell
schema: 2.0.0
applicable: SharePoint Online
online version: https://pnp.github.io/powershell/cmdlets/Grant-PnPEntraIDAppFilePermission.html
external help file: PnP.PowerShell.dll-Help.xml
title: Grant-PnPEntraIDAppFilePermission
---

# Grant-PnPEntraIDAppFilePermission

## SYNOPSIS

**Required Permissions**

* Microsoft Graph API: Files.ReadWrite.All or Sites.ReadWrite.All

Adds permissions for a given Entra ID application registration on a file in a document library.

## SYNTAX

```powershell
Grant-PnPEntraIDAppFilePermission -AppId <Guid> -DisplayName <String> -Permissions <Read|Write|Owner|FullControl> -List <String> [-Path <String>] [-FileId <String>] [-Site <SitePipeBind>] [-Connection <PnPConnection>]
```

## DESCRIPTION

This cmdlet adds permissions for a given Entra ID application registration on a file in a document library. It is used in conjunction with the Entra ID SharePoint application permission `Files.SelectedOperations.Selected`.

The file can be identified by either:
- `-Path`: the path to the file relative to the document library root (e.g. `Folder/SubFolder/file.docx`)
- `-FileId`: the Graph drive item ID of the file

Exactly one of `-Path` or `-FileId` must be specified.

## EXAMPLES

### EXAMPLE 1
```powershell
Grant-PnPEntraIDAppFilePermission -AppId "aa37b89e-75a7-47e3-bdb6-b763851c61b6" -DisplayName "TestApp" -Permissions Read -List "Documents" -Path "Contracts/Agreement.docx"
```

Grants the Entra ID application registration Read access on the file at the specified path in the Documents library of the currently connected site.

### EXAMPLE 2
```powershell
Grant-PnPEntraIDAppFilePermission -AppId "aa37b89e-75a7-47e3-bdb6-b763851c61b6" -DisplayName "TestApp" -Permissions Write -List "Documents" -FileId "01ABC123DEF456GHI789"
```

Grants Write access on the file with the specified drive item ID in the Documents library.

### EXAMPLE 3
```powershell
Grant-PnPEntraIDAppFilePermission -AppId "aa37b89e-75a7-47e3-bdb6-b763851c61b6" -DisplayName "TestApp" -Permissions Owner -List "Documents" -Path "Report.xlsx" -Site https://contoso.sharepoint.com/sites/finance
```

Grants Owner access on the specified file in the Documents library of the given site collection.

## PARAMETERS

### -AppId
The app id (client id) of the Entra ID application registration to grant permission for.

```yaml
Type: Guid
Parameter Sets: (All)

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -Connection
Optional connection to be used by the cmdlet. Retrieve the value for this parameter by either specifying -ReturnConnection on Connect-PnPOnline or by executing Get-PnPConnection.

```yaml
Type: PnPConnection
Parameter Sets: (All)

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -DisplayName
The display name to associate with the permission. Used for visual reference only; does not need to match the application name in Entra ID.

```yaml
Type: String
Parameter Sets: (All)

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -FileId
The Graph drive item ID of the file. Use this as an alternative to `-Path` when you already know the drive item ID. Mutually exclusive with `-Path`.

```yaml
Type: String
Parameter Sets: (All)

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -List
The document library containing the file. Accepts a list GUID or display name.

```yaml
Type: String
Parameter Sets: (All)

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -Path
The path to the file relative to the document library root (e.g. `Folder/SubFolder/file.docx` or just `file.docx` for a file at the root). Mutually exclusive with `-FileId`.

```yaml
Type: String
Parameter Sets: (All)

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -Permissions
The permissions to grant for the Entra ID application registration. Can be Read, Write, Owner, or FullControl.

```yaml
Type: String
Parameter Sets: (All)

Required: True
Accepted values: Read, Write, Owner, FullControl
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -Site
Optional url of a site to grant the permissions on. Defaults to the currently connected site.

```yaml
Type: SitePipeBind
Parameter Sets: (All)

Required: False
Position: Named
Default value: Currently connected site
Accept pipeline input: False
Accept wildcard characters: False
```

## RELATED LINKS

[Microsoft 365 Patterns and Practices](https://aka.ms/m365pnp)
Loading
Loading