question

BuntingUSMoses-6386 avatar image
1 Vote"
BuntingUSMoses-6386 asked NITESHRANJAN-7839 answered

Graph API - SharePoint Site Permissions - Operation Not Supported

Referencing https://docs.microsoft.com/en-us/graph/api/site-list-permissions?view=graph-rest-1.0&tabs=http, I'm trying to list permissions on a SharePoint site. The site in question does not inherit permissions from its parent.

I'm able to get the site using GET https://graph.microsoft.com/v1.0/sites/{site-id} and see the results. I'm also able to see other relationships, e.g. /lists, /sites, etc, to see other information.

When I try to list the permissions using GET https://graph.microsoft.com/v1.0/sites/{site-id}/permissions per the documentation link above, I get 400 - Bad Request response saying operation not supported.

I'm using the composite site id (host name, site collection guid, site guid) for all calls.

Any assistance is greatly appreciated.

microsoft-graph-sites-lists
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Similar issue here. I don't get 400 but rather 200 and the response is just blank like this. We have permissions and the account has full control via the api.


{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites('SITEID')/permissions",
"value": []
}

0 Votes 0 ·

@Atomz4peace-0027 @BuntingUSMoses-6386
Was this endpoint returning any data before in your cases? I have noticed that when I create a new permission using Create Site Permission, the permission is in GET https://graph.microsoft.com/v1.0/sites/{site-id}/permissions



0 Votes 0 ·

If I create through the API it shows. So maybe I'm not understanding what this api gives. When you go into the site via the UI and set the site permissions in the GUI, like owners, members, view, we are trying to find that list of users that have access to the sites. Sounds like that's not this.

Any idea where we see which users are owners/members/viewers of a site?

1 Vote 1 ·

Here's the response I'm getting..

400 - Bad request

{
"error": {
"code": "notSupported",
"message": "Operation not supported",
"innerError": {
"date": "2021-03-12T13:22:12",
"request-id": "acba5b2b-9661-4c42-8c27-7c07efa9329e",
"client-request-id": "acba5b2b-9661-4c42-8c27-7c07efa9329e"
}
}
}

0 Votes 0 ·

@Atomz4peace-0027 I suggest you open a new question because @BuntingUSMoses-6386 's question is different for which I will post an answer here.

0 Votes 0 ·
Danstan-MSFT avatar image
1 Vote"
Danstan-MSFT answered BuntingUSMoses-6386 commented

List Site Permissions unlike Get Site does not support delegated permissions on work and school accounts. This could be why you are getting Not Supported. Please check your permissions and see if it works with Application permissions. Try on Graph Explorer after selecting Sites.FullControl.All which requires admin consent.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

My Azure application has the following permissions:

Microsoft Graph Sites.FullControl.All (Application)
SharePoint Sites.FullControl.All (Application)

Both have been granted admin consent.

0 Votes 0 ·
sureshyadaw avatar image
0 Votes"
sureshyadaw answered sureshyadaw published

I'm also unable to get the site's permissions.
Below are the steps which I followed:
1. Get the root site by {MSURL}/v1.0/sites/root/
2. Get the id from step 1 and try to get root site permission by {MSURL}/sites/{siteId}/permissions
Response: 200
{
"@odata.context": "{MSURL}$metadata#sites('siteId')/permissions",
"value": []
}
3. Now, I tried to list all the sites available by using {MSURL}/sites/{siteId}/sites
Response was 200 and I got a list of sites. Perfect!
4. After that I tied to get any site's permission by using
4.a. Using: {MSURL}/sites/{anySiteId}/permissions
Response 400
"error": "code": "notSupported",
"message": "Operation not supported",


4.b. Using: {MSURL}/sites/{siteId}/site/{anySiteId}/permissions
Response 400
"error": code":"BadRequest",
"message":"Resource not found for the segment 'site'."


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sureshyadaw avatar image
0 Votes"
sureshyadaw answered NITESHRANJAN-7839 commented

As mentioned by @Danstan and I also verified that Graph API is not returning the site's permission.
So, @BuntingUSMoses-6386 or whoever is looking for an alternate solution to this issue.
And the solution to get a site's permission or the groups and members of the site is by using Microsoft.SharePoint.Client.

Code example(https://www.c-sharpcorner.com/blogs/get-available-site-groups-using-csom1):

 //Get Site Url fro user    
             Console.Write("Enter Site URL: ");  
             string strURL = Console.ReadLine();  
      
             //Get Username from user in the format of (Domain/Login ID)    
             Console.Write("Enter UserName (domain/userid): ");  
             string strUserName = Console.ReadLine();  
      
             Console.Write("Enter your password: ");  
             string pass = getPassword();  
             Console.WriteLine();  
      
             ClientContext ctx = new ClientContext(strURL);  
             ctx.Credentials = new NetworkCredential(strUserName, pass);  
             Web web = ctx.Web;  
             //Parameters to receive response from the server    
             //SiteGroups property should be passed in Load method to get the collection of groups    
             ctx.Load(web, w => w.Title, w => w.SiteGroups);  
             ctx.ExecuteQuery();  
      
             GroupCollection groups = web.SiteGroups;  
                  
             Console.WriteLine("Groups associated to the site: " + web.Title);  
             Console.WriteLine("Groups Count: " + groups.Count.ToString());  
             foreach(Group grp in groups)  
             {  
                 Console.WriteLine(grp.Title);  
             }  


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Graph API current doesn't have end points for the permission. Have you evaluated using REST API instead to loop through permissions/groups? I found an article on the same
https://sharepointcass.com/2021/04/15/sharepoint-online-rest-apis-part-v-sharepoint-groups/

0 Votes 0 ·
KathyBlasco-4579 avatar image
0 Votes"
KathyBlasco-4579 answered AntalNAGY-1048 commented

@sureshyadaw, @Danstan
I have also tried to use this Get for site permissions in PowerShell and I do get a 200 response but it does not list the permissions like the documentation states. I also need all of the permissions, SharePoint groups, users, and Office 365 groups.

My Azure application does have Sites.FullControl.All and is granted by admin.

I am using the following to connect:

 Connect-PnPOnline -Url https://HIDDEN.sharepoint.com/ -ClientId HIDDEN -Tenant "HIDDEN.onmicrosoft.com" -Thumbprint HIDDEN

Then these statements to gather the permissions for the site:

 $baererToken = (Get-PnPGraphAccessToken)
 $headers = @{ Authorization=("Bearer " + $baererToken) }
 $webRequest = Invoke-WebRequest –Uri "https://graph.microsoft.com/v1.0/sites/HIDDEN/permissions" –Method Get -Headers $headers

The following is what is returned and this is also what is returned when I use Graph Explorer:

StatusCode : 200
StatusDescription : OK
Content : {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#sites('HIDDEN.sharepoint.com%2CHIDDEN%2CHIDDEN')/permissions","value":[]}
RawContent : HTTP/1.1 200 OK
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=31536000
request-id: HIDDEN
client-request-id: HIDDEN
x-m...
Forms : {}
Headers : {[Transfer-Encoding, chunked], [Strict-Transport-Security, max-age=31536000], [request-id,
HIDDEN], [client-request-id, HIDDEN]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 203

Executing the following:

 $webRequest = Invoke-WebRequest –Uri "https://graph.microsoft.com/v1.0/sites/HIDDEN" –Method Get -Headers $headers

Actually returns what I would expect for this request.





























· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have tried to fetch permissions from C# SDK:

var permissions = await graphClient.Sites["{Site ID}"].Permissions.Request().GetAsync();


Get the same error: Operation Not Supported

App registration has all the necessary API permission:
Sites.FullControl.All

Any development on this issue?

0 Votes 0 ·
NITESHRANJAN-7839 avatar image
0 Votes"
NITESHRANJAN-7839 answered

Graph API currently doesn't have site permission end points. Alternatively we can try to use REST end points.

_api/web/SiteGroups/GetByName('Group Name')/Users
_api/web/SiteGroups/GetById(3)/Users?$filter=Email eq 'UserEmail@email.com'

https://sharepointcass.com/2021/04/15/sharepoint-online-rest-apis-part-v-sharepoint-groups/

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.