Description
I'm reaching out to report an issue I'm encountering while using the Grant-PnPAzureADAppSitePermission command in PowerShell.
Here are the details of the issue:
I connect using a Client ID that has delegated permissions with Full Control already approved.
When I attempt to register a site using Grant-PnPAzureADAppSitePermission for an App Registration that only has Sites.Selected permissions, I unexpectedly receive a permission approval prompt for Full Control over the App Registration.
This seems inconsistent, as the App Registration is only configured with Sites.Selected. It appears the system is incorrectly requiring elevated permissions that shouldn't be necessary.
$SiteUrl = "https://tenant.sharepoint.com/sites/example"
$ClientId = "00000000-0000-0000-0000-000000000000"
Connect-PnPOnline -Url $SiteUrl -ClientId $ClientId -Interactive
$AppId = "11111111-1111-1111-1111-111111111111"
Grant-PnPAzureADAppSitePermission -AppId $AppId -DisplayName "SharePoint Permission" -Permissions FullControl -Site $SiteUrl
❖ Expected Behavior
I connect using an Azure AD App ($ClientId) that already has delegated FullControl permissions approved.
The target App Registration ($AppId) only has the Sites.Selected permission.
I expect that granting site-level permissions to the App Registration would not trigger a new consent screen, especially not one requesting FullControl for the app with Sites.Selected.
❖ Actual Behavior
When I run the Grant-PnPAzureADAppSitePermission command, I am prompted to consent to FullControl permissions on the target App Registration ($AppId), despite it only having Sites.Selected configured.
This seems to be an incorrect or unintended behavior. Could you confirm if this is expected, or if this could be a bug in how permissions are evaluated or consent is triggered?