Set Additional Permissions for SharePoint Online

For SharePoint Online data protection, ensure that you set the required add-in permissions and tenant permissions below.

When you finish, your custom Azure app should include the permissions as shown below.

Add-In Permissions in SharePoint Online

Make sure that you assign the following add-in permissions to the custom app. For more information, see Add-in permissions in SharePoint in the Microsoft documentation.

Scope URI Required Rights
http://sharepoint/content/tenant FullControl
http://sharepoint/content/sitecollection FullControl
http://sharepoint/content/sitecollection/web FullControl
http://sharepoint/content/sitecollection/web/list FullControl
http://sharepoint/taxonomy Read,Write

Tenant Permissions

After you have registered the custom app, configure the tenant permissions on the custom app.

To configure the tenant permissions:

  1. Launch the SharePoint Admin Center using the URL: https://<your-tenant>-admin.sharepoint.com/_layouts/15/AppInv.aspx

    In the case of Multi-Geo tenants, for sites in a specific region (e.g., 'eur' for Europe), the URL for the SharePoint Admin Center changes accordingly. For instance, the URL for the domain abcdef and the region eur would be:
    https://abcdefeur-admin.sharepoint.com/_layouts/15/AppInv.aspx

  2. In the SharePoint Admin Center, log in as the tenant admin.

  3. In the App ID and Title section, perform the following:

    1. In the App Id field, enter the AppID of the custom app you have created and click Lookup to search for the custom app.

    2. In the App Domain field, enter www.localhost.com as the app domain.

      Do not enter any other string other than www.localhost.com in the App Domain field.

    3. In the Redirect URL field, enter https://localhost.com/ as the redirect URL.

      Do not enter any other URL other than https://localhost.com/ in the Redirect URL field.

    4. In the Permission Request XML field, enter the following values:

      <AppPermissionRequests AllowAppOnlyPolicy="true">
      <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
      <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
      <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
      <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="FullControl" />
      <AppPermissionRequest Scope="http://sharepoint/taxonomy" Right="Read,Write" />
      </AppPermissionRequests>

    App Configuration for SharePoint Online

  4. Click Create.

  5. In the Do you trust <app_title>? page, perform the following:

    1. From the drop-down, select DO_NOT_DELETE_SPLIST_TENANTADMIN_AGGREGATED_SITECOLLECTIONS.

    2. click Trust It.

If you have created your Microsoft 365 tenant on or after Sep 20, 2020, you must install SharePoint Online PowerShell. Using the global administrator account, run the following commands in an administrator PowerShell session:
Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope AllUsers
Connect-SPOService -Url 'https://<tenant>-admin.sharepoint.com'
Set-SPOTenant -DisableCustomAppAuthentication $False

Custom scripts setting is not supported in SharePoint.