pnp · gautamdsheth · Dec 7, 2023 · Dec 6, 2023 · Dec 6, 2023 · Dec 7, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -50,6 +50,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - Added support for executing the 'Invoke-PnPSPRestMethod' cmdlet in a batch [#3565](https://github.com/pnp/powershell/pull/3565)
 - Added `Get-PnPSiteSetVersionPolicyProgress` cmdlet which allows for getting the progress of setting a version policy for existing document libraries on a site [#3564](https://github.com/pnp/powershell/pull/3564)
 - Added `EnableSensitivityLabelForPDF` to `Set-PnPTenant` and `Get-PnPTenant` [#3581](https://github.com/pnp/powershell/pull/3581)
+- Added the ability to set Manage and FullControl permissions directly when using Sites.Selected with `Grant-PnPAzureADAppSitePermission` [#3617](https://github.com/pnp/powershell/pull/3617)
 - Added `Remove-PnPMicrosoft365GroupPhoto` cmdlet which allows removal of profile picture of M365 Group. [#3607](https://github.com/pnp/powershell/pull/3607)
 
 ### Fixed

diff --git a/documentation/Grant-PnPAzureADAppSitePermission.md b/documentation/Grant-PnPAzureADAppSitePermission.md
@@ -20,12 +20,12 @@ Adds permissions for a given Azure Active Directory application registration.
 ## SYNTAX
 
 ```powershell
-Grant-PnPAzureADAppSitePermission -AppId <Guid> -DisplayName <String> -Permissions <Read|Write> [-Site <SitePipeBind>] [-Connection <PnPConnection>]
+Grant-PnPAzureADAppSitePermission -AppId <Guid> -DisplayName <String> -Permissions <Read|Write|Manage|FullControl> [-Site <SitePipeBind>] [-Connection <PnPConnection>]
 ```
 
 ## DESCRIPTION
 
-This cmdlet adds permissions for a given Azure Active Directory application registration in a site collection. It is used in conjunction with the Azure Active Directory SharePoint application permission Sites.Selected. Notice that this cmdlet allows for fewer permissions compared to updating rights through [Set-PnPAzureADAppSitePermission](Set-PnPAzureADAppSitePermission.md). If you wish to i.e. assign FullControl permissions, you need to add read or write permissions through this cmdlet first and then update it to FullControl.
+This cmdlet adds permissions for a given Azure Active Directory application registration in a site collection. It is used in conjunction with the Azure Active Directory SharePoint application permission Sites.Selected.
 
 ## EXAMPLES
 
@@ -38,10 +38,10 @@ Adds permissions for the Azure Active Directory application registration with th
 
 ### EXAMPLE 2
 ```powershell
-Grant-PnPAzureADAppSitePermission -AppId "aa37b89e-75a7-47e3-bdb6-b763851c61b6" -DisplayName "TestApp" -Permissions Write -Site https://contoso.sharepoint.com/sites/projects
+Grant-PnPAzureADAppSitePermission -AppId "aa37b89e-75a7-47e3-bdb6-b763851c61b6" -DisplayName "TestApp" -Permissions FullControl -Site https://contoso.sharepoint.com/sites/projects
 ```
 
-Adds permissions for the Azure Active Directory application registration with the specific application id and sets the rights to 'Write' access for the site collection at the provided URL.
+Adds permissions for the Azure Active Directory application registration with the specific application id and sets the rights to 'FullControl' access for the site collection at the provided URL.
 
 ## PARAMETERS
 
@@ -88,14 +88,14 @@ Accept wildcard characters: False
 ```
 
 ### -Permissions
-Specifies the permissions to set for the Azure Active Directory application registration which can either be Read or Write. Use [Set-PnPAzureADAppSitePermission](Set-PnPAzureADAppSitePermission.md) after initially adding these permissions to update it to Manage or FullControl permissions.
+Specifies the permissions to set for the Azure Active Directory application registration which can either be Read, Write, Manage or FullControl.
 
 ```yaml
 Type: String
 Parameter Sets: (All)
 
 Required: True
-Accepted values: Read, Write
+Accepted values: Read, Write, Manage, FullControl
 Position: Named
 Default value: None
 Accept pipeline input: False

diff --git a/src/Commands/Apps/GrantAzureADAppSitePermission.cs b/src/Commands/Apps/GrantAzureADAppSitePermission.cs
@@ -14,6 +14,7 @@ namespace PnP.PowerShell.Commands.Apps
     [Cmdlet(VerbsSecurity.Grant, "PnPAzureADAppSitePermission")]
     [RequiredMinimalApiPermissions("Sites.FullControl.All")]
     [Alias("Grant-PnPEntraIDAppSitePermission")]
+    [OutputType(typeof(AzureADAppPermissionInternal))]
     public class GrantPnPAzureADAppSitePermission : PnPGraphCmdlet
     {
         [Parameter(Mandatory = true)]
@@ -36,39 +37,50 @@ protected override void ExecuteCmdlet()
             Guid siteId = Guid.Empty;
             if (ParameterSpecified(nameof(Site)))
             {
+                WriteVerbose($"Using Microsoft Graph to lookup the site Id of the passed in site using -{nameof(Site)}");
                 siteId = Site.GetSiteIdThroughGraph(Connection, AccessToken);
+                WriteVerbose($"Site passed in using -{nameof(Site)} resolved to Id {siteId}");
             }
             else
             {
+                WriteVerbose($"No specific site passed in through -{nameof(Site)}, taking the currently connected to site");
                 siteId = PnPContext.Site.Id;
+                WriteVerbose($"Currently connected to site has Id {siteId}");
             }
 
-            if (siteId != Guid.Empty)
+            if (siteId == Guid.Empty)
             {
-                var payload = new
-                {
-                    roles = Permissions.Select(p => p.ToLower()).ToArray(),
-                    grantedToIdentities = new[] {
-                            new {
-                                application = new {
-                                    id = AppId.ToString(),
-                                    displayName = DisplayName
-                                }
+                WriteVerbose("Id of the site to provide permissions on could not be defined. Please ensure you're passing in a valid site using -{nameof(Site)}");
+                return;
+            }
+
+            // Construct the payload of the Graph request
+            var payload = new
+            {
+                roles = Permissions.Select(p => p.ToString().ToLowerInvariant()).ToArray(),
+                grantedToIdentities = new[] {
+                        new {
+                            application = new {
+                                id = AppId.ToString(),
+                                displayName = DisplayName
                             }
-                        },
-                    grantedToIdentitiesV2 = new[] {
-                            new {
-                                application = new {
-                                    id = AppId.ToString(),
-                                    displayName = DisplayName
-                                }
+                        }
+                    },
+                grantedToIdentitiesV2 = new[] {
+                        new {
+                            application = new {
+                                id = AppId.ToString(),
+                                displayName = DisplayName
                             }
                         }
-                };
+                    }
+            };
 
-                var results = Utilities.REST.RestHelper.PostAsync<AzureADAppPermissionInternal>(Connection.HttpClient, $"https://{Connection.GraphEndPoint}/v1.0/sites/{siteId}/permissions", AccessToken, payload).GetAwaiter().GetResult();
-                WriteObject(results.Convert());
-            }
+            WriteVerbose($"Granting App with Id {AppId} the permission{(payload.roles.Length != 1 ? "s" : "")} {string.Join(',', payload.roles)}");
+
+            // Make the Graph Grant request
+            var result = Utilities.REST.RestHelper.PostAsync<AzureADAppPermissionInternal>(Connection.HttpClient, $"https://{Connection.GraphEndPoint}/v1.0/sites/{siteId}/permissions", AccessToken, payload).GetAwaiter().GetResult();
+            WriteObject(result.Convert());
         }
     }
 }
diff --git a/src/Commands/Enums/AzureADNewSitePermissionRole.cs b/src/Commands/Enums/AzureADNewSitePermissionRole.cs
@@ -2,7 +2,7 @@
 {
     /// <summary>
     /// Defines the roles that can be chosen when setting up a new site permission
-    /// See <a href="https://learn.microsoft.com/en-us/graph/api/resources/permission#roles-property-values">Graph Reference</a>
+    /// See <a href="https://learn.microsoft.com/graph/api/resources/permission#roles-property-values">Graph Reference</a>
     /// </summary>
     public enum AzureADNewSitePermissionRole
     {
@@ -14,6 +14,16 @@ public enum AzureADNewSitePermissionRole
         /// <summary>
         /// Provides the ability to read and modify the metadata and contents of the item
         /// </summary>
-        Write
+        Write,
+
+        /// <summary>
+        /// Applies the SharePoint manage permissions
+        /// </summary>
+        Manage,
+
+        /// <summary>
+        /// Applies Full Control permissions
+        /// </summary>
+        FullControl
     }
 }
diff --git a/src/Commands/Enums/AzureADUpdateSitePermissionRole.cs b/src/Commands/Enums/AzureADUpdateSitePermissionRole.cs
@@ -2,7 +2,7 @@
 {
     /// <summary>
     /// Defines the roles that can be chosen when updating an existing site permission
-    /// See <a href="https://learn.microsoft.com/en-us/graph/api/resources/permission#roles-property-values">Graph Reference</a>
+    /// See <a href="https://learn.microsoft.com/graph/api/resources/permission#roles-property-values">Graph Reference</a>
     /// </summary>
     public enum AzureADUpdateSitePermissionRole
     {