Add Get, Grant, Set and Revoke cmdlets for EntraID app file permissions

[fabianhutzli]

Type

• Bug Fix
• New Feature
• Sample

Summary

Adds four new cmdlets that manage app-only permissions on individual files in document libraries, enabling the use of the Files.SelectedOperations.Selected Entra ID app permission scoped to a single file.

New cmdlets

• Get-PnPEntraIDAppFilePermission – returns all or filtered file permissions (by PermissionId or AppIdentity)
• Grant-PnPEntraIDAppFilePermission – grants a new permission for an Entra ID app registration on a file
• Set-PnPEntraIDAppFilePermission – updates the role of an existing file permission
• Revoke-PnPEntraIDAppFilePermission – removes a file permission (with confirmation prompt / -Force)

Implementation notes

• Uses Microsoft Graph Drive API (/drives/{driveId}/items/{driveItemId}/permissions)
• Files can be identified by -Path (relative to the library root, e.g. Folder/SubFolder/file.docx) or by -FileId (Graph drive item ID); exactly one must be provided
• The drive is resolved automatically from the list via GET /sites/{siteId}/lists/{listId}/drive
• Lists can be identified by GUID or display name
• Permission roles are Read, Write, Owner
• App display names are enriched via a best-effort GET /v1.0/servicePrincipals lookup
• Documentation included
• Developed with AI assistance
• Tested