設定Microsoft 365應用程式api key只對特定sharepoint site存取

2026-03-30
| No Comments

通常在 Microsoft Entra管理中心的 "應用程式註冊"內所建立的應用程式api key存取sharepoint時,預設都是對所有sharepoint sites。
但如果只想將該 api key 限制在特定sharepoint site時,就需要透過powershell做額外的設定。

Microsoft Entra 應用程式

相關設定可以參考網路上的其他文章,比較重要的是,建立的 api key 是要給特定的 sharepoint site 使用,所以最少要把 sharepoint 的存取權限打開。

在建立的 api key中,找到"api 權限",要把 "sharepoint" 的 site.selected 權限打開,注意必須要是"應用程式"。

然後就是要開始設定將此 api key 侷限在特定 sharepoint site.

透過 powershell 設定 api key 只能用在特定 sharepoint site

PS > Install-Module PnP.PowerShell -Scope CurrentUser -Force
PS > Get-Module PnP.PowerShell -ListAvailable

    Directory: \Documents\PowerShell\Modules

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Manifest   3.1.0                 PnP.PowerShell                      Core      {Add-PnPAdaptiveScopeProperty, Add-PnPE…

    Directory: C:\Program Files\WindowsPowerShell\Modules

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Manifest   3.1.0                 PnP.PowerShell                      Core      {Add-PnPAdaptiveScopeProperty, Add-PnPE…

PS > Connect-PnPOnline -Url "https://YOUR_DOMAIN-admin.sharepoint.com" -Interactive
WARNING:
 Please specify a valid client id for an Entra ID App Registration.

Connect-PnPOnline: Specified method is not supported.
PS > Register-PnPEntraIDAppForInteractiveLogin  -ApplicationName "PnP-Interactive-Admin"    -Tenant "YOUR_DOMAIN.onmicrosoft.com"
WARNING:
 No permissions specified, using default permissions

Checking if application 'PnP-Interactive-Admin' does not exist yet...Success. Application 'PnP-Interactive-Admin' can be registered.
App PnP-Interactive-Admin with id fXXXXXXc-XXXX-XXXX-XXXX-7XXXXXXXXXXb created.
App created. You can now connect to your tenant using Connect-PnPOnline -Url <yourtenanturl> -ClientId fXXXXXXc-XXXX-XXXX-XXXX-7XXXXXXXXXXb

AzureAppId/ClientId
-------------------
fXXXXXXc-XXXX-XXXX-XXXX-7XXXXXXXXXXb

PS > Connect-PnPOnline -Url "https://YOUR_DOMAIN-admin.sharepoint.com"  -ClientId "5XXXX6-XXXX-XXXX-XXXX-cXXXXXXXXXX8"
PS > Grant-PnPAzureADAppSitePermission  -AppId "5XXXX6-XXXX-XXXX-XXXX-cXXXXXXXXXX8"   -DisplayName "QA_reporting"  -Site "https://YOUR_DOMAIN.sharepoint.com/sites/develop"  -Permissions Write

Id    : aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX3
Roles : {write}
Apps  : {QA_reporting, 5XXXX6-XXXX-XXXX-XXXX-cXXXXXXXXXX8}
學習工作, 工作
| Tags: , ,