We are attempting to integrate SharePoint with Pega Knowledge Buddy using the documented SharePoint REST (/_api) approach. However, based on Microsoft guidance, app‑only SharePoint REST access appears to require tenant‑wide permissions, which cannot be scoped to specific sites or libraries.
Our organization requires least‑privilege access (e.g., Sites.Selected), which is only supported via Microsoft Graph. The current Knowledge Buddy implementation seems to rely exclusively on SharePoint REST and does not clarify how access can be restricted.
For those who have successfully implemented this:
Are you using tenant‑wide SharePoint permissions in Azure?
If not, how are you technically restricting access to specific sites or libraries?
Has anyone implemented this using Microsoft Graph or an intermediary service?
We are trying to understand if there is a supported, secure pattern we may be missing, or if this integration inherently requires tenant‑wide access.