Share via

Graph API Search Fails with App-Only Selected.Sites Permissions - Failed to search: 500 Internal Server Error

Danny A Muntean 0 Reputation points
2024-10-03T13:46:49.81+00:00

Hello,

I am using the Microsoft Graph API with SharePoint and App-Only Selected.Sites permissions. I have granted the application “full control” over the selected sites, and I can retrieve an access token and make successful API calls to most endpoints.

For example, the following request works successfully:

GET /sites/{site-id}/drive/root/

However, when I attempt to perform a search on the same site using:

GET /sites/{site-id}/drive/root/search(q='{search-text}')

I receive the following response:

HTTP/1.1 500 Internal Server Error
Content-type: application/json

{
    "error": {
        "code": "generalException",
        "message": "General exception while processing",
        "innerError": {
            "date": "2024-10-03T13:12:51",
            "request-id": "{request-id}",
            "client-request-id": "{client-request-id}"
        }
    }
}

Interestingly, if I add the Sites.ReadWrite.All permission to the application, the search request works as expected. However, this permission is too broad for my needs, as I do not want to grant access to all SharePoint sites.

My Questions:

  1. Are there any additional configuration steps or permissions required to enable search functionality with Selected.Sites?
  2. Is this behavior expected when using Selected.Sites with "full control"?
  3. Is there a way to perform search operations within the selected sites without requiring Sites.ReadWrite.All?
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,038 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,709 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hitesh Pachipulusu - MSFT 2,145 Reputation points Microsoft Vendor
    2024-10-03T14:33:51.3166667+00:00

    Hello Danny A Muntean,

    Thank you for reaching out to Microsoft Support!

    It sounds like you’re encountering a limitation with the Sites.Selected permission scope. Here are some insights and potential solutions to your questions:

    1. Additional Configuration Steps or Permissions: The Sites.Selected permission scope is designed to provide granular access to specific sites. However, it appears that search functionality is not fully supported with this permission alone. This is why adding Sites.ReadWrite.All resolves the issue, as it grants broader permissions that include search capabilities.
    2. Expected Behavior: Yes, this behavior is expected. The Sites.Selected permission scope does not inherently support all operations, including search. The error you’re encountering (generalException) indicates that the operation is not permitted with the current permission set.
    3. Performing Search Operations Without Sites.ReadWrite.All: Unfortunately, to perform search operations within the selected sites, you might need to use broader permissions like Sites.ReadWrite.All. However, you can mitigate the risk by carefully managing the application’s access and ensuring it only interacts with the intended sites. Another approach could be to use delegated permissions if user context is available, but this might not fit your app-only scenario.

    In summary, the Sites.Selected permission scope has limitations regarding search functionality. Using Sites.ReadWrite.All is a workaround, but it does broaden the access scope. You might need to balance the need for search functionality with the security implications of broader permissions.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

  2. Danny A Muntean 0 Reputation points
    2024-10-10T16:55:56.06+00:00

    Hello,

    I wanted to follow up on my initial question to provide additional information for anyone trying to use the Site.Selected permission with the DriveItem Search method.

    According to the Microsoft Graph documentation, Site.Selected is not supported by the DriveItem Search method. However, the documentation indicates that Files.Read.All should be a supported permission. After adding Files.Read.All, I’m still encountering the same 500 Internal Server Error when using the search endpoint.

    From what I can gather, it seems like the Search method recognizes Site.Selected as an acceptable permission level and attempts to process the request, but fails, instead of falling back to the Files.Read.All permissions as expected.

    I’m not sure how to submit a support ticket to the Microsoft Graph API team to investigate this issue. Any guidance on how to proceed would be appreciated.

    Thank you, Danny

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.