Share via

Graph API - Site Permissions show no roles

Philippe Côté 0 Reputation points
2024-05-02T01:02:39.0866667+00:00

Hi,

I'm trying to set up Sites.Selected Graph API permissions for am App Registration. After adding manually the Sites.Selected through Entra ID and granting consent, I've used the Graph Explorer with a Global Admin account to add the site permissions. When I do a POST to the : https://graph.microsoft.com/v1.0/sites/xxxxxxx/permissions endpoint, I get this kind of response:

{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites('xxxxxxxxx.sharepoint.com')/permissions/$entity", "id": "aTowaS50fG1zLnNwLmV4xNi1jOTEzNTc3NDBjYWNANDU2NjlkMxxxxxxTktNmFiNi00N2NjLWFkYWYtMzA2OTg2MDVmNmU3", "roles": [ "write" ], "grantedToIdentitiesV2": [ { "application": { "displayName": "Philster", "id": "6f1adxxxxxx8856-c91357740cac" } } ], "grantedToIdentities": [ { "application": { "displayName": "Philster", "id": "6f1adxxxxxxx-c91357740cac" } } ] }

So far, all good. However, when I try to access the sites/... /drives, I get a 403. My JWT token is good, and I can see the Sites.Selected permission in there.To double-check, I've gone back to list the permissions on the site, and I can see the following:

{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites('xxxxxxx.sharepoint.com')/permissions", "value": [ { "@deprecated.GrantedTo": "GrantedTo has been deprecated. Refer to GrantedToV2", "id": "xxxxx", "grantedToIdentitiesV2": [ { "application": { "displayName": "Philster", "id": "xxxxxxx" } } ], "grantedToIdentities": [ { "application": { "displayName": "Philster", "id": "xxxxxxx" } } ] } ] }

Looks good, except that... It's missing the "roles" : ["read"] property !

Looking at the documentation, examples and articles, this should work and I should be able to see the roles.

I had initially tried this with a Teams site, now it's on the root sharepoint site, same behavior.

Any ideas?

Thanks in advance,

Phil

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,798 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hitesh Pachipulusu - MSFT 80 Reputation points Microsoft Vendor
    2024-05-03T21:02:01.13+00:00

    Hello @Philippe Cote ,

    Using Delegated Permissions:

    If you are trying to use "https://graph.microsoft.com/v1.0/sites/xxxxxxx/drives" API in Graph Explorer, then you need to provide Files.Read permission in Modify Permissions Tab and provide consent to it.

    Please refer to this documentation. https://learn.microsoft.com/en-us/graph/api/drive-list?view=graph-rest-1.0&tabs=http

    Using Application Permissions:

    In case if you are trying to fetch drives information without signed in user (Application permission), then you need to create two app registrations. First Application will have Sites.FullControl.All permission and second Application will have Sites.Selected permission.

    Using first application you can make POST call "https://graph.microsoft.com/v1.0/sites/xxxxxxx/permissions" with second application details in request body. You can perform the above operations in postman or you can use powershell. You cannot use the Graph Explorer because its only supported for delegated permissions.

    Then you can able to fetch the drive details using second application without signed in user.

    Please refer to below documentations.

    https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/

    https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/develop-applications-that-use-sites-selected-permissions-for-spo/ba-p/3790476

    Hope this helps.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments
  2. Philippe Côté 0 Reputation points
    2024-05-04T12:45:55.8566667+00:00

    Hi,

    I'm trying to do this through powershell scripts and code. I basically follow the procedure you mentioned. What's weird is that when I create the site permissions, I can see the role returned after the POST ( "role" = ["read"] ). However, when I list the permissions on the same site after creating it, no roles are returned. It looks like a bug in the Graph API, unless I'm missing something.

    Phil

    0 comments
  3. maravedi 0 Reputation points
    2024-05-15T18:15:19.15+00:00

    Phil,

    I ran into the same issue, and figured out that you need to grab that id value in your first response and then send a GET request to the "Get site permission" endpoint: GET /sites/{sitesId}/permissions/{permissionId}.

    In summary, list all permissions on the site using GET /sites/{sitesId}/permissions, then find the id for the section that contains your app/user, and replace {permissionId} with that id to get the specific permissions using GET /sites/{sitesId}/permissions/{permissionId}.

    I hope that helps.

    David

    0 comments
  4. maravedi 0 Reputation points
    2024-05-15T18:56:59.6866667+00:00

    [redacted] (I accidentally posted the answer twice)

    0 comments