Audit Service Principal Permissions to SharePoint sites granted using Sites.Selected via PowerShell

Ensuring the security and compliance of your SharePoint environment is crucial, especially when dealing with service principals, Entra ID apps, or federated identities. These entities often have elevated permissions that, if mismanaged, can lead to unauthorized access and potential data breaches. Regularly auditing these permissions is a best practice for maintaining a secure and compliant SharePoint environment.

Application only or granular access to individual site instead of whole tenant, scope called “Sites.Selected” is used for different purposes :

  1. SPFx deployment from CI/CD pipelines via service connections Deploy SPFx app using pipeline’s Workload Identity federation

Refer to the articles for various flavours

Deploy SPFx app using pipeline’s Workload Identity federation

Deploying SPFx apps with Azure DevOps pipelines - Classic variant

  1. Granting access to applications to the SharePoint sites

Why Audit Service Principal Permissions?

  1. Security: Unauthorized access can lead to data breaches, loss of sensitive information, and other security incidents.
  2. Compliance: Many industries have strict compliance requirements that mandate regular audits of access permissions.
  3. Governance: Proper governance ensures that only authorized applications and identities have access to your SharePoint sites, reducing the risk of misuse.

Granting Permissions

Permissions to service principals, Entra ID apps, or federated identities can be granted to SharePoint sites using the cmdlet:

grant-PnPAzureADAppSitePermission -AppId 27f0f80f-4c32-4e49-a3ce-377fff559532 -DisplayName  p-m365  -Permissions FullControl

Auditing Permissions

The following PowerShell script retrieves permissions assigned to SharePoint sites for auditing purposes:

param (
    [Parameter(Mandatory = $true)]
    [string] $domain
)

$adminSiteURL = "https://$domain-Admin.SharePoint.com"
$TenantURL = "https://$domain.sharepoint.com"
$dateTime = "_{0:MM_dd_yy}_{0:HH_mm_ss}" -f (Get-Date)
$invocation = (Get-Variable MyInvocation).Value

$directorypath = Split-Path $invocation.MyCommand.Path
$fileName = "entraid_site_permissions" + $dateTime + ".csv"
$outputPath = $directorypath + "\"+ $fileName

if (-not (Test-Path $outputPath)) {
    New-Item -ItemType File -Path $outputPath
}
     Connect-PnPOnline -Url $adminSiteURL -Interactive -WarningAction SilentlyContinue
        Write-Host "Getting entra id permissions..." -ForegroundColor Yellow
        $sharingReport = Get-PnPTenantSite -Filter "Url -like '$TenantURL'"| Where-Object { $_.Template -ne 'RedirectSite#0' }  | foreach-object {
        $siteUrl = $_.Url
        connect-PnPOnline -Url $siteUrl -interactive -WarningAction SilentlyContinue
        Get-PnPAzureADAppSitePermission | ForEach-Object {
        [PSCustomObject]@{
            ##add the properties from the $sharingsetting object
            Id = $_.Id
            Url = $siteUrl
            Roles = $_.Roles -join ","
            Apps = $_.Apps -join ","
        }
    }
}

$sharingReport |select *  |Export-Csv $outputPath -NoTypeInformation -Append

References

Identify and prevent abuse of Managed Identities with Federated Credentials from unauthorized entities

SharePoint now supports delegated Sites.Selected authentication

Develop Applications that use Sites.Selected permissions for SPO sites.