Limiting Site Access

Owned by Ray Rarey
Oct 18, 2022
2 min read

In cases where an Azure instance contains a large number of team sites, an administrator may want to limit the add-on’s access to a certain subset of sites. This can greatly improve the response time of the add-on in Jira. To limit the add-on’s access to a subset of all sites, an Azure administrator should perform the following steps:

Gather App Details

The following steps are performed through your web browser in the Azure Administration UI:

  1. Navigate to https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade

  2. Copy the “display name” and “Application (client) ID” values for your app registration. You will need these values for later.

Modify App Permissions

  1. Select the application you registered for Jira.

  2. Click on the API Permissions item on the left.

  3. Remove the Sites.ReadWrite.All permission.

  4. Add the Sites.Selected permission.

  5. Grant Admin consent for the Sites.Selected permission.

Load the Graph API Explorer

The following steps are performed through your web browser in the Microsoft Graph API explorer:

  1. Open Microsoft’s Graph API Explorer at https://developer.microsoft.com/en-us/graph/graph-explorer

  1. Click on the user avatar in the top right of the Graph API Explorer.

  2. Click on the Consent to permissions link in the user menu that appears.

  3. Scroll down to the Sites section in the Permissions menu that appears, and check the box for Sites.FullControl.All.

  4. Click on the Consent button at the bottom.

Find Site IDs

  1. Create a GET request to the following URL: https://graph.microsoft.com/v1.0/sites?search=TeamSiteName, where TeamSiteName is the start of the display name of the particular site you’re looking for. For instance, to find the Mobility Stream Dev Team Site, we would use the URL https://graph.microsoft.com/v1.0/sites?search=Dev

  2. Tap the Run Query button to get the response.

  3. Examine the value portion of the response. You should several id, name, and webUrl values. You will need the id value for each site you wish to grant access to. Make a list of these values. They look similar to ms.sharepoint.com,29d89a4d-1116-4c61-beab-ab32e55803b5,1ae8fce0-78d6-41c6-a82c-65bff2442801.

Apply New Permissions

  1. Create a POST request to the following URL: https://graph.microsoft.com/v1.0/sites/{siteId}/permissions, where {siteId} is one of the id values collected from the previous step.

  2. Provide the following body for the request, with {appId} replaced by the application’s client ID you saved earlier, and {appDisplayName} replaced by the application’s display name you saved earlier:

    { "roles": ["write"], "grantedToIdentities": [{ "application": { "id": "{appId}", "displayName": "{appDisplayName}" } }] }

  3. Click Run query to execute this query and add the permission.

  4. Repeat this process for each site id as needed.