If you are running in the context of a user (delegate permissions), the resulting permissions are always the subset of permissions granted to your app and those the user has. In other words, you will never be able to leverage "higher" permission that what the user has. If you are running in the application permission model, there is no user and thus you get unrestricted access (whatever the permissions allow, Sites.Read.All will allow all read operations).
MSgraph (Site.read.all) access to SharePoint list data prevented by permissions set on the sharepoint site
Coleman, Mark
21
Reputation points
We have an application that has site.read.all access.
Is this permission overruled by actual permissions to the sharepoint list set in SharePoint?
I ask as we seem only able to call the list details when the logged in user (via AD SSO) has been given permissions to read the list data.
Is this the case? or are we making an error in our MS graph call?