App Registration for External Access to SharePoint

Step-by-step documentation for configuring an app registration to grant external access to a SharePoint site.

Introduction

This guide teaches you how to configure an app registration to grant an external party access to a specific SharePoint site within a Microsoft 365 environment. It requires steps in Microsoft Entra ID (formerly Azure AD), setting up permissions, and configuring access at the SharePoint level.

1. Create App Registration (Microsoft Entra ID)

  1. Go to https://entra.microsoft.com (opens in a new tab) or https://portal.azure.com (opens in a new tab).
  2. Navigate to 'App registrations' > 'New registration'.
  3. Fill in the following information:
    • Name: Give the app a recognizable name, e.g., ExtApp_SharePointAccess.
    • Supported account types: Choose 'Accounts in another organization' for external access.
    • Redirect URI: Only required for interactive authentication (such as web apps).
  4. Click ‘Register’.

2. API Permissions

  1. Open the registered app.
  2. Go to API permissions > Add a permission.
  3. Choose SharePoint > Delegated permissions.
  4. Add:
    • AllSites.FullControl
  5. Click Grant admin consent for your organization.

3. Generate Client Secret

  1. In the app, go to Certificates & Secrets.
  2. Click New client secret, give it a name and expiration.
  3. Copy the Value immediately – this is the only time you’ll see it.

4. Assign SharePoint Site Permissions

  1. Go to the SharePoint site you want to expose.
  2. Open Site Settings > Site Permissions > Advanced Permissions.
  3. Click Grant Permissions, and add the App ID as a user:
    • Format: i:0i.t|ms.sp.ext|<CLIENT_ID>@<TENANT_ID>
  4. Choose the appropriate permission level (e.g., Read, Contribute, Full Control).

Summary

You have now registered an external app and granted it delegated access to a SharePoint site. Be sure to follow up with any external parties to share the necessary credentials securely.

Getting Started
Powered by Nextra