Whats wrong on Graph API permission for selected site

Question

Even the API claim value doesn't contain any permission level requesting access to all site contents:

during granting permission it is asking then for read and write for ALL sharepoint sites:

Can anyone kindly tell my why? This app should access and work only within one pre-selected site collection.

Thanks in advance!

Explanation about the mentioned behaviour to not grant too much permission if not needed

Answer 1

To restrict SharePoint API permission to a specific site check below:

Create a Microsoft Entra ID application:

Use the below PowerShell script to restrict SharePoint API permission to a specific site

$siteUrl = “https://xxx.sharepoint.com/sites/testruk”
$clientId = “AppClientID” 
$certThumbprint = “Thumbprint” 
$tenant = “xxx.onmicrosoft.com”

Connect-PnPOnline -Url $siteUrl -Interactive
$writeperm = Grant-PnPAzureADAppSitePermission -Permissions “Write” -Site $siteUrl -AppId $clientId -DisplayName “PowerShell-SharepointOnline”
$PermissionId = Get-PnPAzureADAppSitePermission -AppIdentity $clientId
Set-PnPAzureADAppSitePermission -Site $siteurl -PermissionId $(($PermissionId).Id) -Permissions “FullControl”

When I tried to connect with the above site its successful:

Connect-PnPOnline -Url $siteUrl -ClientId $clientId -Thumbprint $certThumbprint -Tenant $tenant
Get-PnPList

When I tried to connect to another site, got an error like below:

• By doing this it will restrict access to specific site collections but not specific folders/files.
• You cannot restrict access to specific folders, files or specific scope.
• Hence try to restrict the site by using the PowerShell script.