Share via

Get Granted User/Group Permissions for SharePoint Files via MS Graph

AM91 0 Reputation points
2024-11-11T22:04:49.0066667+00:00

I am developing an application that needs to read files from SharePoint. Specifically, I want to limit access to a specific list of SharePoint folders, which I believe can be managed using the Sites.Selected permission for the app. Additionally, I need to retrieve the permissions for files within these sites, ideally via the IDs of the Microsoft 365 users and groups with access.

I aim to authenticate the app via Client / Client Secret and seek to determine the minimal permissions required for the app registration to accomplish this task.

Appreciate your help!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,370 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
3,067 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,268 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hitesh Pachipulusu - MSFT 3,235 Reputation points Microsoft Vendor
    2024-11-12T06:06:32.9933333+00:00

    Hello AM91,

    Thank you for contacting Microsoft Support!

    To restrict access to a specific SharePoint site using Microsoft Graph APIs, you can follow these steps:

    Use Sites.Selected Permission:

    In case if you are trying to site information without signed in user (Application permission), you need to create two app registrations. First Application will have Sites.FullControl.All permission and second Application will have Sites.Selected permission.

    Using first application you can make POST call with second application details in request body. You can perform the above operations in postman. 

    POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions
   Content-Type: application/json
   {
     "roles": ["read"],
     "grantedToIdentities": [
       {
         "application": {
           "id": "your-app-id",
           "displayName": "Your App Name"
         }
       }
     ]
   }

    Please note following above steps target application can access entire site collection.

    Please refer to below documentations.

    https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/

    https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/develop-applications-that-use-sites-selected-permissions-for-spo/ba-p/3790476

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.