Microsoft Graph service exception Error code: accessDenied with Site.Selected Permission

s-taxcomreporting SA 6 Reputation points
2020-12-30T06:33:03.157+00:00

I have application which uploads files from S3 to a specific Sharepoint site using Microsoft graph Java SDK. I registered app called 'S3ToSharePoint' in Azure active directory, add Application type 'Sites.Selected' permission to my app since admin won't grant Sites.ReadWrite.All(Application) for security concern. In the description of 'Sites.Selected', it says 'Allow the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online. ' So I added this the account as owner(full access) in Sharepoint sites(not sure if this is the correct way to do configuration). But still got 'accessDenied' error when trying to upload to this Sharepoint sites. Does anyone know if this is the correct way? I saw someone use Sites.ReadWrite.All(Application) and that works for them. Not sure 'Sites.Selected' will do the same since it is in preview mode.
sites.selected permission
ClientCredentialProvider and ms graph java sdk upload
accessDenied

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,518 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,560 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,384 questions

9 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SUNOJ KUMAR YELURU 13,921 Reputation points MVP
    2020-12-30T06:50:38.993+00:00

    @s-taxcomreporting SA

    Thanks for asking question!
    Have you chosen the right set of permissions?

    Understanding Azure AD permissions and consent

    Resolve Microsoft Graph authorization errors

    Please let us know if you have further query on this.

    ----------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  2. s-taxcomreporting SA 6 Reputation points
    2020-12-30T08:04:38.707+00:00

    Hi @SUNOJ KUMAR YELURU ,
    Thanks for the link, I checked all your links and I believe I choose the right set of permission. Basically, I am trying to use ClientCredentialProvider to get auth token since my app is a scheduled job which won't need user interaction. For scope, I use 'https://graph.microsoft.com/.default', which is standard for ClientCredentialProvider auth. The API permission the registered app has is https://graph.microsoft.com/Sites.Selected (Application Type), and it has been granted admin consent.
    I have an updated debug screenshot for accessDenied info.
    debug logging

  3. Amos Wu-MSFT 4,051 Reputation points
    2020-12-31T03:26:29.127+00:00

    Hi @s-taxcomreporting SA ,
    You could try to add Application Files.ReadWrite.All, Sites.ReadWrite.All permission.
    Document for your reference:https://learn.microsoft.com/en-us/graph/api/driveitem-put-content?view=graph-rest-1.0&tabs=http
    52431-llle.png
    I tested successfully with the following permissions.
    52432-image.png

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  4. Dakota Wray 1 Reputation point
    2021-01-15T22:08:57.02+00:00

    Any resolution to this? Doesn't look like there's any documentation on the Sites.Selected permission level.

    0 comments
  5. Francisco Muñoz 1 Reputation point
    2021-01-30T00:03:24.547+00:00

    Hi, same issue here ... really, is quite surprise that MS not support limit the SP to just a set of shrepoint selected.

    Here is the request ..
    https://microsoftgraph.uservoice.com/forums/920506-microsoft-graph-feature-requests/suggestions/34678792-manage-permissions-at-ressource-level-for-sharepoi

    But i dont see in any place when will be in GA

    0 comments