As per the title, is it possible to add let's say read permissions to an app on a site, but only on a specific scope?
Also, is it possible to use custom permission levels for the same app, instead of the read, write, manage, fullcontrol?
1 Answer
At this point in time, the most granular permission scope for SharePoint in Entra ID (Azure AD) is the site collection. There are more granular permission scopes (e.g. site, list, and library) available using the Add-in permission model that registers apps with Azure Access Control Services (Azure ACS), however Microsoft recently announced that the Add-in permission model has been deprecated and will be turned off in the relatively near future (Azure ACS retirement in Microsoft 365).
I haven't seen any announcements on this, but considering the deprecation of Azure ACS and the work that Microsoft has done to add more granular permission scopes for apps like Teams and OneDrive, I would expect that Microsoft is working on adding more granular permission scopes for SharePoint in Entra ID (Azure AD).
I hope this helps.
