question

staxcomreportingSA-3996 avatar image
0 Votes"
staxcomreportingSA-3996 asked JeremyKelleySHAREPOINT-6243 commented

Microsoft Graph service exception Error code: accessDenied with Site.Selected Permission

I have application which uploads files from S3 to a specific Sharepoint site using Microsoft graph Java SDK. I registered app called 'S3ToSharePoint' in Azure active directory, add Application type 'Sites.Selected' permission to my app since admin won't grant Sites.ReadWrite.All(Application) for security concern. In the description of 'Sites.Selected', it says 'Allow the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online. ' So I added this the account as owner(full access) in Sharepoint sites(not sure if this is the correct way to do configuration). But still got 'accessDenied' error when trying to upload to this Sharepoint sites. Does anyone know if this is the correct way? I saw someone use Sites.ReadWrite.All(Application) and that works for them. Not sure 'Sites.Selected' will do the same since it is in preview mode.
sites.selected permission
ClientCredentialProvider and ms graph java sdk upload
accessDenied


office-sharepoint-onlineazure-active-directorymicrosoft-graph-sdk
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Wanted to provide an update, we are in the process of investigating issues with upload and download and the Sites.Selected scope. Apologies for the inconvenience this causes, we're working to resolve it ASAP.

0 Votes 0 ·

Another update, we've deployed a fix for the upload / download issue, please let me know if you continue to see a problem going forward.

0 Votes 0 ·
learn2skills avatar image
0 Votes"
learn2skills answered

@staxcomreportingSA-3996

Thanks for asking question!
Have you chosen the right set of permissions?

Understanding Azure AD permissions and consent


Resolve Microsoft Graph authorization errors

Please let us know if you have further query on this.



Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

staxcomreportingSA-3996 avatar image
0 Votes"
staxcomreportingSA-3996 answered learn2skills edited

Hi @learn2skills ,
Thanks for the link, I checked all your links and I believe I choose the right set of permission. Basically, I am trying to use ClientCredentialProvider to get auth token since my app is a scheduled job which won't need user interaction. For scope, I use 'https://graph.microsoft.com/.default', which is standard for ClientCredentialProvider auth. The API permission the registered app has is https://graph.microsoft.com/Sites.Selected (Application Type), and it has been granted admin consent.
I have an updated debug screenshot for accessDenied info.
debug logging



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

And 'Sites.Selected' is in preview mode and I can't find it in this permission reference documentation: https://docs.microsoft.com/en-us/graph/permissions-reference#sites-permissions. I am wondering if it can be used? Thanks!




0 Votes 0 ·
learn2skills avatar image learn2skills staxcomreportingSA-3996 ·

Suggested to create support ticket with MSFT azure team from azure portal there will work closer with you on this matter.

0 Votes 0 ·
AmosWu-MSFT avatar image
0 Votes"
AmosWu-MSFT answered staxcomreportingSA-3996 commented

Hi @staxcomreportingSA-3996 ,
You could try to add Application Files.ReadWrite.All, Sites.ReadWrite.All permission.
Document for your reference:https://docs.microsoft.com/en-us/graph/api/driveitem-put-content?view=graph-rest-1.0&tabs=http
52431-llle.png
I tested successfully with the following permissions.
52432-image.png


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



llle.png (17.2 KiB)
image.png (27.6 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @AmosWu-MSFT , Application Files.ReadWrite.All, Sites.ReadWrite.All will probably work, my admin won't give this permission for security concern as it allows application to have write access to all sharepoint sites.

0 Votes 0 ·
DakotaWray-0504 avatar image
0 Votes"
DakotaWray-0504 answered DakotaWray-0504 edited

Any resolution to this? Doesn't look like there's any documentation on the Sites.Selected permission level.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

fmunozse avatar image
0 Votes"
fmunozse answered

Hi, same issue here ... really, is quite surprise that MS not support limit the SP to just a set of shrepoint selected.

Here is the request ..
https://microsoftgraph.uservoice.com/forums/920506-microsoft-graph-feature-requests/suggestions/34678792-manage-permissions-at-ressource-level-for-sharepoi

But i dont see in any place when will be in GA

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JuanBetancourt-7857 avatar image
0 Votes"
JuanBetancourt-7857 answered

Hi @staxcomreportingSA-3996, may I ask how did you add the Application as owner in Sharepoint sites?

So I added this the account as owner(full access) in Sharepoint sites

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JeremyKelleySHAREPOINT-6243 avatar image
0 Votes"
JeremyKelleySHAREPOINT-6243 answered JosiahCarpenter-7776 commented

Just found this question today and wanted to provide some clarity.

There are two components to making the scenario work.

1 You already found which is requesting Sites.Selected


2 Is using the new Permissions API on the Site object (https://docs.microsoft.com/en-us/graph/api/resources/permission?view=graph-rest-1.0) to grant access to your application on each site you want to be able to access.


To accomplish #2 you will need a separate application that already has Sites.FullControl.All. The intent here is that the application that manages the permissions would likely be owned by your IT or Tenant Admin group since granting permissions requires the necessary broad scope.

See our blog post (https://developer.microsoft.com/en-us/graph/blogs/controlling-app-access-on-specific-sharepoint-site-collections/) for more details and a demo.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jeremy I'm not the original poster but I have followed the instructions in the blog and I can read data on the site (lists, documents libraries, etc) but I can't download files. I get an access denied message whenever I try to download the content of a file. I've posted about the issue here:

https://docs.microsoft.com/en-us/answers/questions/293640/access-denied-bug-in-granular-site-permissions-for.html

Any help with this bug would be much appreciated!

0 Votes 0 ·
DawidWysocki-6562 avatar image DawidWysocki-6562 JosiahCarpenter-7776 ·

@JeremyKelleySHAREPOINT-6243

have also encountered this bug. It's annoying.
My administrator is not keen on giving me Sites.Read.All permission because of security issues, but it seems that Sites.Selected is bugged.
Any workarounds or solutions?

0 Votes 0 ·

At present our only work around is to create a service account, give it access only to the sites we need to interact with, then use the client credential flow with the Graph API. It's an ugly work around that we are anxious to get fixed.

0 Votes 0 ·
ashiqf avatar image
0 Votes"
ashiqf answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WilsonReddyGajarla-7725 avatar image
0 Votes"
WilsonReddyGajarla-7725 answered

SharePoint tenant admin has to approve access to AAD app prior to making call. Tenant admin can user graph explorer to grant permissions. you can refer article for details.

Make a post request to https://graph.microsoft.com/v1.0/sites/<<siteId>>/permissions for granting permissions to AAD app on the SPO site.
Headers: Content-Type: application/json
Body
{
“roles”: [“read”],
“grantedToIdentities”: [{
“application”: {
“id”: “<<client id from step 1>>”,
“displayName”: “<<name of aad app created in step 1>>”
}
}]
}


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.