Looking to connect your SharePoint?
Start here: Connecting SharePoint to GovEagle
If you chose the Sites.Selected permission approach in the Service Principal method, you'll need to manually grant your app registration access to each SharePoint site. This is a one-time setup per site.
The following steps are intended for after you’ve completed Part 1: Create an App Registration in Azure and have selected the Sites.Selected permission.
Which method should I use?
Commercial and GCC tenants: use Microsoft Graph Explorer (Steps 1-4 below).
GCC High tenants: Microsoft Graph Explorer is not available against GCC High. Use the GCC High (PowerShell) method below instead.
Step 1: Log into Graph Explorer as a Tenant Admin
Navigate to Microsoft Graph Explorer and sign in with a tenant admin account.
Step 2: Grant Graph Explorer the Required Permissions
Before you can grant site-level permissions, Graph Explorer itself needs the Sites.FullControl.All permission.
In Graph Explorer, click Modify Permissions.
.png)
Find and consent to Sites.FullControl.All.
.png)
This is a one-time admin setup action. Once you've completed the permission grants below, you can revoke this consent from Graph Explorer if you'd like — the permissions you grant to your app will persist.
Step 3: Get the SharePoint Site ID
If you don't already know your site ID, run the following GET request in Graph Explorer:
GET https://graph.microsoft.com/v1.0/sites/{YOUR-DOMAIN}.sharepoint.com:/sites/{YOUR-SITE-NAME}
Copy the id value from the response.
Step 4: Grant Your App Access to the Site
In Graph Explorer, switch to a POST request.
Set the URL to:
POST https://graph.microsoft.com/v1.0/sites/{site-id-from-step-3}/permissions
Use the following request body. Use
"read"for read-only access, or["read", "write"]if write access is needed:
{
"roles": ["read"],
"grantedToIdentities": [
{
"application": {
"id": "<your-azure-app-client-id>",
"displayName": "GovEagle SharePoint Integration"
}
}
]
}
Click Run Query and verify the API call was successful.
The site should appear in the GovEagle platform within a few minutes.
Repeat Steps 3–4 for each additional SharePoint site you want to connect.
GCC High Tenants (PowerShell)
Microsoft Graph Explorer does not work against GCC High tenants, so the steps above cannot be used there. Instead, a tenant admin grants Sites.Selected access using the Microsoft Graph PowerShell SDK. Note the following before you start:
Use Microsoft.Graph PowerShell SDK v1.x, not v2.x. The required cmdlet was removed in v2.x.
The script switches to the beta profile (
Select-MgProfile -Name beta), which the Sites.Selected flow requires.Connect in the USGov environment with the
Sites.FullControl.AllandAppRoleAssignment.ReadWrite.Allscopes.GCC High site URLs use the
.sharepoint.usdomain, not.sharepoint.com.Grant the permission to your application’s AppId (Client ID), as shown on the app registration’s Overview page in Entra. Do not use the service principal’s object ID. Granting to the object ID is the most common cause of the error "the app does not have access to this site".
If your tenant has more than one app registration, confirm you are using the Client ID of the one connected to GovEagle.
Update the three variables near the top of the script ($tenant, $sitePath, $appName), then run it in PowerShell:
#########################################################################
# Sites.Selected Permission Assignment requires
# Microsoft.Graph PowerShell SDK v1.x (NOT v2.x)
# So we need to validate that before we go any further
#########################################################################
$ErrorActionPreference = [System.Management.Automation.ActionPreference]::Stop
Write-Host "Checking Microsoft Graph module version..." -ForegroundColor Cyan
$modules = Get-InstalledModule Microsoft.Graph* -ErrorAction SilentlyContinue
if ($modules.Version.Major -ge 2) {
Write-Warning "ERROR: You have Microsoft.Graph v2.x installed. This version is not compatible with the 'Sites.Selected' and V1 API calls required."
return
}
if (-not (Get-InstalledModule Microsoft.Graph -ErrorAction SilentlyContinue)) {
Write-Warning "ERROR: You do not appear to have the Microsoft Graph API modules installed."
Write-Warning "You must install v1.x of the Microsoft.Graph module (NOT v2.x) in order to use this script."
return
}
#########################################################################
# 1. Switch to beta profile so that we can use v2.0 of the Graph API (required for Sites.Selected)
# Note: this is why we have to use the v1.x of the module... because Microsoft
# removed this cmdlet in the v2.x and thus left us with only v1.0 API calls
#########################################################################
Write-Host "Selecting Microsoft Graph beta profile..." -ForegroundColor Cyan
Select-MgProfile -Name beta
#########################################################################
# 2. Connect to Graph with admin‑level scopes
#########################################################################
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Cyan
Connect-MgGraph -Scopes "Sites.FullControl.All","AppRoleAssignment.ReadWrite.All" -Environment USGov
#########################################################################
# 3. VARIABLES — CHANGE THESE THREE VALUES
#########################################################################
$tenant = "<<tenantname>>" # example: "contoso"
$sitePath = "<<sitepath>>" # example: "/sites/repository"
$appName = "<<registeredapp>>" # example: "GovEagle SharePoint Integration"
#########################################################################
# 4. Get the target SharePoint site
#########################################################################
Write-Host "Retrieving site..." -ForegroundColor Cyan
$site = Get-MgSite -SiteId "$tenant.sharepoint.us:$sitePath"
if (-not $site) {
throw "Site not found. Check path: $sitePath"
}
Write-Host " Site ID: $($site.Id)" -ForegroundColor Green
#########################################################################
# 5. Get the Service Principal for the application
#########################################################################
Write-Host "Retrieving service principal for app '$appName'..." -ForegroundColor Cyan
$sp = Get-MgServicePrincipal -Filter "displayName eq '$appName'"
if (-not $sp) {
throw "Service Principal not found. Verify the app exists in Entra ID."
}
Write-Host " SP ID: $($sp.AppId)" -ForegroundColor Green
#########################################################################
# 6. Build permission payload (read)
#########################################################################
$params = @{
roles = @("read") # or "write"
grantedToIdentities = @(
@{
application = @{
id = $sp.AppId # this needs to be the same value as the "Client ID" presented in the Entra management portal
displayName = $sp.DisplayName
}
}
)
}
Write-Host "Assigning Sites.Selected permission..." -ForegroundColor Cyan
#########################################################################
# 7. Create the permission
#########################################################################
try {
$permission = New-MgSitePermission -SiteId $site.Id -BodyParameter $params
Write-Host "SUCCESS: Permission assigned!" -ForegroundColor Green
}
catch {
Write-Host "Failed to assign permission:" -ForegroundColor Red
Write-Host $_.Exception.Message -ForegroundColor Red
throw
}
#########################################################################
# 8. Validate
#########################################################################
Write-Host "Validating assigned permissions..." -ForegroundColor Cyan
Get-MgSitePermission -SiteId $site.Id | Format-List
Write-Host "Done." -ForegroundColor GreenUse roles = @("read") for read-only access, or @("read","write") if write access is needed. Repeat for each additional SharePoint site you want to connect.