Get-MgSitePermission is returning a $Null value

Question

Hi,
I have the following.
PowerShell: 7
Graph Module: 1.11.0
Sharepoint Site: ITTeam
Graph Authentication: Application Authentiation with the following scope

Sites.Selected
Sites.Read.All
Sites.Manage.All
User.Read.All
Mail.Send
Chat.ReadWrite.All
Sites.FullControl.All
Chat.Create

When I run the following code, I got no result
$SiteName=get-mgsite -Search 'it team'
Get-MgSitePermission -SiteID $SiteName.id
When I run the Get-MgSitePermission with debugging, it seems that the graph is not returning any value.

PS D:\Powershell\> get-mgsitepermission -Debug -siteid $SiteName.id  
DEBUG: [CmdletBeginProcessing]: - Get-MgSitePermission begin processing with parameterSet 'List1'.  
DEBUG: [Authentication]: - AuthType: 'UserProvidedAccessToken', AuthProviderType: 'UserProvidedToken', ContextScope: 'Process', AppName: 'PSHelpdeskBot'.  
DEBUG: [Authentication]: - Scopes: [Sites.Selected, Sites.Read.All, Sites.Manage.All, User.Read.All, Mail.Send, Chat.ReadWrite.All, Sites.FullControl.All, Chat.Create].  
DEBUG: ============================ HTTP REQUEST ============================  
  
HTTP Method:  
GET  
  
Absolute Uri:  
https://graph.microsoft.com/v1.0/sites/mydomainhere.sharepoint.com%2C6440xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-80894f585fbd/permissions  
  
Headers:  
SdkVersion                    : graph-powershell/1.11.0,Graph-dotnet-1.25.1  
FeatureFlag                   : 00000047  
Cache-Control                 : no-store, no-cache  
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.14393; en-US),PowerShell/2022.6.3,Get-MgSitePermission_List1  
Accept-Encoding               : gzip  
  
Body:  
  
  
  
DEBUG: ============================ HTTP RESPONSE ============================  
  
Status Code:  
OK  
  
Headers:  
Cache-Control                 : no-store, no-cache  
Transfer-Encoding             : chunked  
Vary                          : Accept-Encoding  
Strict-Transport-Security     : max-age=31536000  
request-id                    : 55d6d051-4e69-48bf-9cdf-df3e90623faa  
client-request-id             : 55d6d051-4e69-48bf-9cdf-df3e90623faa  
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"South India","Slice":"E","Ring":"2","ScaleUnit":"000","RoleInstance":"MA1PEPF00002027"}}  
Link                          : <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=v1.0,Removal&from=2021-09-01&to=2021-10-01>;rel="deprecation";type="text/html",<https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=v1.0,Removal&from=2021-09-01&to=2021-10-01>;rel="deprecation";type="text/html"  
Deprecation                   : Fri, 03 Sep 2021 23:59:59 GMT  
Sunset                        : Sun, 03 Sep 2023 23:59:59 GMT  
OData-Version                 : 4.0  
Date                          : Tue, 09 Aug 2022 12:29:42 GMT  
  
Body:  
{  
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites('mydomainhere.sharepoint.com%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4f2f-a824-80894f585fbd')/permissions",  
  "value": []  
}  
  
  
DEBUG: [CmdletEndProcessing]: - Get-MgSitePermission end processing.  

Answer 1

Hi @Faris Malaeb

Please refer to the complete script. Before that, make sure you have the Sites.FullControl.All application permission.

 $clientID = 'client id'       
 $secretKey = 'client secret'      
 $tenantID = 'tenant id'                   
 $authUrl = "https://login.microsoftonline.com/" + $tenantID + "/oauth2/v2.0/token/"      
 $body = @{       
     "scope" = "https://graph.microsoft.com/.default";       
     "grant_type" = "client_credentials";       
     "client_id" = $ClientID       
     "client_secret" = $secretKey       
 }   
      
 $authToken = Invoke-RestMethod -Uri $authUrl –Method POST -Body $body                   
 $url = "https://graph.microsoft.com/v1.0/sites/{sitesId}/permissions"     
 $headers = @{       
 "Authorization" = "Bearer $($authToken.access_token)"   
  "Content-type"  = "application/json"       
 }       
 $response = Invoke-RestMethod -Uri $url -Headers $headers -Method Get   
 Write-Output $response.value  

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

I run

New-MgSitePermission

as mentioned and got the result ID = string, Roles={Write}

In the postman, I got
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites('theabudhabichamber.sharepoint.com%2C50cb4d97-ac68-4794-9d22-c5f9555f7a35%2Cca3647e0-f130-4ce4-bfa4-100410e8098a')/permissions",
"value": [
{
"id": "aTowaS50fG1zLnNwLmV4dHxhNTRlY2QwOS0xMzI2LTQ3ZWQtODkxMy05MzZiMDc1OGRlOGFANzVhNmQ5MDctMDE3Ny00ZDVhLTg2YzctZTU1ZWVjMjZiZjVh",
"grantedToIdentitiesV2": [
{
"application": {
"displayName": "ADC-OneDriveShare",
"id": "a54ecd09-1326-47ed-8913-936b0758de8a"
}
}
],
"grantedToIdentities": [
{
"application": {
"displayName": "ADC-OneDriveShare",
"id": "a54ecd09-1326-47ed-8913-936b0758de8a"
}
}
]
}
]
}
But when I try to invoke the first code you gave I got

Invoke-RestMethod: untitled:Untitled-1:19:13
Line |
19 | $response = Invoke-RestMethod -Uri $url -Headers $headers -Method Get
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| {"error":{"code":"InvalidAuthenticationToken","message":"Access token is empty.","innerError":{"date":"2022-08-16T11:11:08","request-id":"139d8110-10d6-49cc-b8f9-301f34b5cb5d","client-request-id":"139d8110-10d6-49cc-b8f9-301f34b5cb5d"}}}
even though the Access Token value is there, I can call the $headers and see the token "Bearer eyJ0eXAiOiJKV1QiLCJub25jZS....."

Anyway, I dont know if this is the correct results as I am expecting to see a list of users how have access to the site.

Answer 3

@CarlZhao-MSFT what do you think about the results ?

Answer 4

The Connection part

-----------

$clientID = 'xxxxx-1326-47ed-8913-xxxxx'
$secretKey = '9~f8Q5x61.mNchSyfQddU'
$tenantID = 'xxxxxx-0177-4d5a-86c7-xxxxxxx'
$authUrl = "https://login.microsoftonline.com/" + $tenantID + "/oauth2/v2.0/token/"
$body = @{
"scope" = "https://graph.microsoft.com/.default";
"grant_type" = "client_credentials";
"client_id" = $ClientID
"client_secret" = $secretKey
}

$authToken = Invoke-RestMethod -Uri $authUrl –Method POST -Body $body
$url = "graph.microsoft.com/v1.0/sites/thexxxxxxxxxxxr.sharepoint.com,5xxxxx7-ac68-4794-9d22-c5xxxxxxxx35,ca3647e0-f130-4ce4-bfa4-100xxxxxxxxxx98a/permissions"
$headers = @{
"Authorization" = "Bearer $($authToken.access_token)"
"Content-type" = "application/json"
}

$response = Invoke-RestMethod -Uri $url -Headers $headers -Method Get
Write-Output $response.value

--------------

Results:
Invoke-RestMethod:
Line |
19 | $response = Invoke-RestMethod -Uri $url -Headers $headers -Method Get
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| {"error":{"code":"InvalidAuthenticationToken","message":"Access token is empty.","innerError":{"date":"2022-08-17T07:46:32","request-id":"1ea58e47-2a70-4b6f-81bb-15603d2e6688","client-request-id":"1ea58e47-2a70-4b6f-81bb-15603d2e6688"}}}