- Create a new SharePoint App Principal by navigating to https://
<tenant>
.sharepoint.com/sites/<targetsite>
/_layouts/15/appregnew.aspx. Click the Create buttons for both the Client Id and Client Secret fields. For automation tasks (PowerShell, .NET executables) you can enter generic information for the App Domain and Redirect URL fields.
- Click the Create button.
-
Copy the Client ID and Client Secret values to a secure location. These credentials can access all content the app principal is granted access to from the internet.
-
The Client Secret expires after 1 year from creation, so mark your calendar. For automation scenarios, it's very likely easier to generate a new Client Id and Client Secret and update the jobs, but you can use PowerShell to generate a new Client Secert that lasts for three years. Details for replacing an expiring Client Secert can be found at: https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/replace-an-expiring-client-secret-in-a-sharepoint-add-in
-
Grant permissions to a SharePoint App Princial by navigating to https://
<tenant>
.sharepoint.com/sites/<targetsite>
/_layouts/15/appinv.aspx. -
Paste the Client Id into the App Id field and click the Lookup button. Note: The Permission Request XML field will always be blank, even if you have previously granted the SharePoint App Principal rights.
-
Paste in the App Permissions Request XML for the desired permission.
Example App Permission Requests to allow the app princial to to have read access to a single list.
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Read"/>
</AppPermissionRequests>
More information about permission scopes: https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint#permission-request-scopes-for-other-sharepoint-features
-
Click Create.
-
In this example, we chose to scope the app principal permissions to a single list, so we now need to explicitly grant those permissions to the app principal. This will grant the app principal to the Documents library. Depending on the scope you grant, you'll see a slightly different UI experience.
$clientId = "daabeeab-3d81-4501-9f17-5496beb8b007"
$clientSecret = "Ul6lKjICLF0hsYvo8QdmRXbXDOT9fjAaUWEqhQYLc1g="
Connect-PnPOnline -Url "https://tenant.sharepoint.com/sites/targetsite" -AppId $clientId -AppSecret $clientSecret -UseWebLogin
Get-PnPFile -Url /sites/targetsite/documents/file.docx -Path c:\temp -FileName file.docx -AsFile