By default MetaShare requires the “Sites.FullControl.All” application permission for SharePoint and Microsoft Graph. This is needed in order for the application to be able to create new SharePoint sites. Some customers may choose to remove that permission after creating workspaces and use the “Sites.Selected” permission instead. When this permission is used, MetaShare needs to be granted permissions to specific SharePoint sites using PowerShell.
Granting “Site.Selected” and site permissions
- Open Entra ID portal > Enterprise Applications > MetaShare > Permissions
- Verify that the “Sites.Selected” permission was granted and consented by administrator. If not, “Grant admin consent for your tenant” and “Refresh” permissions.
- Using PnP.Powershell connect to the admin site of your tenant:
Connect-PnPOnline -Url "https://{tenant}-admin.sharepoint.com" -ClientId {PowerShellAppClientId} -Interactive - For each MetaShare workspace, grant permissions for the underlying SharePoint site:
Grant-PnPEntraIDAppSitePermission -AppId 23b47b75-ebde-4abf-9621-fff04bded7cf -DisplayName "MetaShare" -Permissions FullControl -site "{url}" - Grant MetaShare at least Read permissions to the content type hub site
Grant-PnPEntraIDAppSitePermission -AppId 23b47b75-ebde-4abf-9621-fff04bded7cf -DisplayName "MetaShare" -Permissions Read -site "https://{tenant}.sharepoint.com/sites/contenttypehub" - Now you can remove the “Sites.FullControl.All” application permission for Microsoft Graph and SharePoint.
Limitations when using Sites.Selected
Without the “Sites.FullControl.All” permission these MetaShare functions are unavailable:
- Share documents to anonymous users, selecting the “External link” option, even if this setting is enabled in the underlying SharePoint sites.
- Create new workspaces, from MetaShare’s UI.
- Delete workspaces, from MetaShare’s UI.
- Select a site templates for workspace configurations.