How to configure a SharePoint Site with limited access using authorization scope?

Documentation AEM as a Cloud Service User Guide

Configure SharePoint Site with limited access using authorization scope

Last update: Mon Aug 11 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Applies to:
Experience Manager as a Cloud Service

CREATED FOR:

User
Developer

The feature is available under the early adopter program. You can write to aem-forms-ea@adobe.com from your official email id to join the early adopter program and request access to the capability.

The purpose of limited or restricted access is to enhance security management by allowing administrators to control user access to a particular SharePoint Site or a group of SharePoint Sites. The permission level is useful when you need to grant a user or group access to a specific Site without allowing them to view any other non-allowed SharePoint Sites.

Advantages to configure SharePoint Site with the limited access

Advantages to provide limited access to SharePoint Site:

Enhanced security: By limiting access, you can ensure that only authorized personnel have the ability to view or manipulate sensitive information, reducing the risk of unauthorized access.
Principle of least privilege: It provides users with the minimum levels of access鈥攐r permissions鈥攏eeded to perform their job functions. This minimizes each user鈥檚 exposure to sensitive parts of the network, which can protect against potential internal threats.
Data protection: Restricted access helps in safeguarding critical data against exposure. It ensures that only users who need to see the data can access it, which is essential for complying with data protection regulations.
Accidental data loss prevention: With fewer people able to modify content, the chances of accidental deletions or alterations of important data is significantly reduced.
Controlled Data Flow: It helps in controlling the flow of information within and outside the organization, ensuring that data does not end up in the wrong hands.

Configure SharePoint with limited access using authorization scope

Follow the steps below to configure SharePoint Sites with limited access using authorization scopes:

Create an application with the Sites.Selected permission scope in Azure portal
Set the authorization scope at AEM instance

Create an application with the limited permission in the Azure portal

Create an application in with the Sites.Selected permission scope in Microsoft鈥檚 Graph API.

SharePoint Selected Site

For information on how to retrieve Client ID, Client Secret and Tenant ID for OAuth URL, see .

In the Microsoft庐 Azure portal, add the Redirect URI as https://[author-instance]/libs/cq/sharepoint/content/configurations/wizard.html. Replace [author-instance] with the URL of your Author instance.
Add the offline_access and Sites.Selected permissions scope in Microsoft鈥檚 Graph API to provide restricted access to Sites.
For OAuth URL: https://login.microsoftonline.com/tenant-id/oauth2/v2.0/authorize. Replace <tenant-id> with the tenant-id of your app from the Microsoft庐 Azure portal.

To use the Sites.Selected API permission requires an application registered in the Azure portal with the appropriate permissions set for SharePoint Online Sites. This setup ensures that the application has the necessary authorization to interact with the SharePoint Site within the defined scope, thereby providing the required limited access.

Refer to the for instructions on developing applications that use Sites.Selected permissions for SharePoint Online Sites.

Set the authorization scope at AEM instance

To provide limited access to a Microsoft SharePoint Site, it is essential to set the authorization scope correctly. To set the authorization scope and connect AEM Forms to your Microsoft庐 SharePoint storage:

Go to your AEM Forms Author instance > Tools > Cloud Services > Microsoft庐 SharePoint.
Once you select the Microsoft庐 SharePoint, you are redirected to SharePoint Browser.
Select a Configuration Container. The configuration is stored in the selected Configuration Container.
Click Create > SharePoint Document Library from the drop-down list. The SharePoint configuration wizard appears.
Specify the Title, Client ID and Client Secret. For information on how to retrieve Client ID and Client Secret, see .

Use OAuth URL as https://login.microsoftonline.com/tenant-id/oauth2/v2.0/authorize. Replace <tenant-id> with the tenant-id of your app from the Microsoft庐 Azure portal.

note note
NOTE
The client secret field is mandatory or optional depends upon your Azure Active Directory application configuration. If your application is configured to use a client secret, it is mandatory to provide the client secret.

Add the offline_access Sites.Selected in the Authorization Scope field. When you add the offline_access Sites.Selected scope in the Authorization Scope textbox field, the SharePoint Site ID textbox becomes visible on the screen.
Specify the SharePoint Site ID. To learn how to retrieve the SharePoint Site ID, refer to the Extra Bytes section.
Click Check Site Connection. On a successful connection, the Connection Successful message appears.

Now, select SharePoint Site > Document Library > SharePoint Folder, to save the data.

note note
NOTE
By default, `forms-ootb-storage-adaptive-forms-submission` is present at selected SharePoint Site. Create a folder as `forms-ootb-storage-adaptive-forms-submission`, if not already present in the `Documents` library of the selected SharePoint Site by clicking Create Folder.

Now, you can use this SharePoint Sites configuration for the submit action in an Adaptive Form.

Extra Bytes

To retrieve the value of the SharePoint Site ID:

Go to the .
In the left pane, under the SharePoint Sites APIs, click Search for a SharePoint site by keyword.
Replace the placeholder contoso with the actual name of your SharePoint Site to fetch the corresponding Site ID.

Upon clicking the Run Query button, the Site ID is displayed on the screen.

recommendation-more-help

fbcff2a9-b6fe-4574-b04a-21e75df764ab