Giving an Azure AD Application permissions to a single SharePoint site is easy, using spo site apppermission add:
m365 spo site apppermission add --appId $appId --permission write --siteUrl $spSite
If you use the ID of a Managed Identity however, this will not work, because the command does a lookup using the /applications Graph endpoint, which only returns App Registrations, not service principals.
There used to be a workaround to avoid lookup: specify both the --appId AND --appDisplayName together. This is also mentioned on the site.
This however stopped working, because an optionset has now been defined on appId and appDisplayName, forcing you to fill in either one OR the other option.
So, effectively we can no longer add site permissions for service principals.
Fix
We can fix this by removing the option set.
But I think it's also better to change the lookup to the /ServicePrincipals endpoint, as that will capture ALL service principals.
Giving an Azure AD Application permissions to a single SharePoint site is easy, using
spo site apppermission add:If you use the ID of a Managed Identity however, this will not work, because the command does a lookup using the
/applicationsGraph endpoint, which only returns App Registrations, not service principals.There used to be a workaround to avoid lookup: specify both the
--appIdAND--appDisplayNametogether. This is also mentioned on the site.This however stopped working, because an optionset has now been defined on appId and appDisplayName, forcing you to fill in either one OR the other option.
So, effectively we can no longer add site permissions for service principals.
Fix
We can fix this by removing the option set.
But I think it's also better to change the lookup to the
/ServicePrincipalsendpoint, as that will capture ALL service principals.