Microsoft Graph API for Sharepoint groups or users

Question

Microsoft Graph API for Sharepoint groups or users

Jain Harshita 20

I am working on Microsort Graph APIs for getting permission for sharepoint sites, drive and drive items usingapplication. For API drives/{driveId}/items/{itemId}/permissions to get permission on drive items, I see that it returns grantedToV2 object with siteUser displayname "Everyone except external users". Similiarly there are other sharepoint group object returned in the format:

"siteGroup": {

                "displayName": "",

                "id": "",

                "loginName": ""

            }

I understand these are Sharepoint groups but is it possible to get details of these groups by Microsoft Graph APIs Or reverse of this ie given a user, by using Microsoft Graph API is it possible to know which site it has permission to?

0 comments

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Gabriel-N 17,785 Microsoft External Staff Moderator

Hello Jain Harshita

Based on my research, here are some clarifications that may help answer your questions.

When a Microsoft Graph API call such asGET /drives/{driveId}/items/{itemId}/permissionsreturns a grantedToV2 object containing a siteGroup (or siteUser like “Everyone except external users”), this represents a classic SharePoint site-level group or built-in principal, not an Azure AD / Microsoft 365 group.

“Everyone except external users” is a special built-in SharePoint principal.
Other entries (Site Owners, Site Members, Site Visitors, or custom groups) are SharePoint-specific permission groups that exist only inside that site collection.

These are not Entra ID groups, so the id you see in grantedToV2.siteGroup is a SharePoint Principal ID (local to the site). It cannot be used with Graph endpoints like /groups/{id}/members.

At this time, Microsoft Graph haven't provided APIs to retrieve details or membership of these classic SharePoint site groups. Graph’s group APIs only work with Azure AD / Microsoft 365 groups. If you need to retrieve the members of a SharePoint site group (for example, to see who is in “Site Members” or “Everyone except external users”), use the SharePoint REST API (you can call it with the exact same access token you already use for Microsoft Graph, provided you have Sites.Read.All or higher).

For example (replace {tenant}.sharepoint.com/sites/{site-relative-path} with your site URL):

List all groups on the siteGET https://{tenant}.sharepoint.com/sites/{site}/_api/web/sitegroups
Get members of a specific group (using the name or the id from siteGroup.id):

GET https://{tenant}.sharepoint.com/sites/{site}/_api/web/sitegroups/getbyname('Site Members')/usersor

GET https://{tenant}.sharepoint.com/sites/{site}/_api/web/sitegroups({principalId})/users

Similarly, reverse lookup scenarios are not directly supported in Microsoft Graph. There is no single Graph API that can answer “which SharePoint sites, drives, or items does user X have access to.”

In a delegated (user) context, security trimming happens automatically (e.g., when the user searches or queries content).
In an application-only context (your scenario), you generally need to enumerate sites and check permissions individually, which does not scale well.

As alternatives, some customers rely on Microsoft Search (security-trimmed queries) or audit logs to indirectly understand user access.

I hope this helps clarify the current behavior and limitations of Microsoft Graph with SharePoint permissions.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Gabriel-N 17,785 Reputation points Microsoft External Staff Moderator

2026-05-15T14:36:57.3533333+00:00

Hello Jain Harshita just following up to see if the information above was helpful. If you have any updates or further questions, feel free to share them here.
Jain Harshita 20 Reputation points

2026-05-15T15:12:43.9633333+00:00
Thank you Gabriel for providing inputs which are definitely helpful in shaping the solution I have been working on. :) I understood what are the limitations of Graph API and why is it needed to use sharepoint API to fill the missing information. There are few things which I would like to update you and get your input on:

I tried to use same token I am using Graph API but it didn't work for Sharepoint API(I even changed scope to sharepoint in /token endpoint). I want to use Sharepoint API to get site groups and get members of group, like you suggested. I investigated further and found that for Sharepoint API only certificate credentials are applicable. I am currently in process to upload certificate in Azure Portal and then check again. I would like to mention I am using application permission of Site.Selected with full control both for Graph and Sharepoint API. Is this the right approach?

As per documentation for Graph v1.0, there is permission endpoints available for site and drive item inside site's drive(no endpoint for drive itself). While response of permission endpoint for site GET sites/{siteId}/permissions is only listing the application registered with Azure AD, GET /drives/{driveId}/items/{itemId}/permissions for drive items inside site is responding with the actual sharepoint groups which I am concerned about. Also, For driveitems permission response, "inheritedFrom" is empty. I find this behaviour inconsistent. Is there any permission missing for the application I am using?
Gabriel-N 17,785 Reputation points Microsoft External Staff Moderator

2026-05-18T12:53:35.3666667+00:00

Hello Jain Harshita

Thank you for feedback. Please allow me a moment to look into this further. I will get back to you with an update.
Gabriel-N 17,785 Reputation points Microsoft External Staff Moderator

2026-05-18T15:03:53.0666667+00:00
Hello Jain Harshita

Based on my research, for your authentication issue, your approach is on the right track. But you might consider some points below:

Switch to certificate-based authentication. Client secrets are often blocked for SharePoint REST API calls in app-only scenarios and frequently return the error “Unsupported app only token”.

When acquiring the token, request it for the SharePoint audience: https://{your-tenant}.sharepoint.com/.default (not the Graph audience).

Make sure your app registration has the SharePoint API application permission Sites.FullControl.All (in addition to Microsoft Graph Sites.Selected + FullControl).

Because you’re using the Sites.Selected permission model, you must explicitly grant your app access to the target site(s) via Microsoft Graph: POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions with roles: fullcontrol and the application identity.

Once authentication is working, you can use the SharePoint REST calls you mentioned to resolve the classic SharePoint groups returned by Graph.

Regarding the behaviors you observed:

GET /sites/{siteId}/permissions only returns the application-level grants you made via the Sites.Selected model > seeing only your app there is expected.

GET /drives/{driveId}/items/{itemId}/permissions returns the actual/effective classic SharePoint ACLs (including site groups and built-in principals like “Everyone except external users”).

inheritedFrom being empty is also common and not always reliably populated for SharePoint items.

For the reverse lookup (given a user > which sites/items they have access to), there is unfortunately no single Graph API call that works well in app-only context. Most solutions involve enumerating the relevant sites/drives or using Microsoft Search (security-trimmed) / audit logs.

Longer term, migrating permissions to Entra ID / Microsoft 365 groups (instead of classic SharePoint site groups) will make everything much easier, since they are fully supported in Graph.

Hope this info helpful.
Gabriel-N 17,785 Reputation points Microsoft External Staff Moderator

2026-05-19T10:35:04.1566667+00:00

Hello Jain Harshita

If you still have further concerns, please feel free to let me know.
Jain Harshita 20 Reputation points

2026-05-20T05:25:42.3866667+00:00

One last question :) I understand Sharepoint APIs expose endpoint to also list folders, file and explore Sharepoint site contents for which I have been using Graph API. Instead of using Graph API and then using Sharepoint API to get Sharepoint groups and users, doesn't it make more sense to just use Sharepoint APIs for everything? Do you know of any advantage of using Graph API over Sharepoint API?
Gabriel-N 17,785 Reputation points Microsoft External Staff Moderator

2026-05-20T15:05:49.29+00:00

Hello @Jain Harshita

Sorry for late reply, let me look into this further and I’ll keep you posted.
Gabriel-N 17,785 Reputation points Microsoft External Staff Moderator

2026-05-21T12:39:02.3333333+00:00

Hello @Jain Harshita

Technically you can use SharePoint REST APIs for everything, since they provide full coverage of SharePoint functionality.

However, in practice it is recommended to use a combination of both APIs.

Microsoft Graph is generally the preferred choice for most scenarios because it provides a unified endpoint across Microsoft 365 services, a more consistent authentication model, and continued investment from Microsoft. At the same time, Graph does not yet expose all SharePoint-specific capabilities (such as site groups and full permission details), so SharePoint REST APIs are still required for those cases.

Because of this, the common approach is to use Graph for general operations (sites, drives, files) and rely on SharePoint REST only for scenarios that Graph does not currently support.

Hope this helps clarify the approach.
Jain Harshita 20 Reputation points

2026-05-21T16:14:47.3533333+00:00

Thank you Gabriel for your support. If I need anything more, I would create another thread.
Gabriel-N 17,785 Reputation points Microsoft External Staff Moderator

2026-05-22T14:55:58.97+00:00

Hi @Jain Harshita

I'm really happy to hear that the information I shared is helpful. If you ever need more help, feel free to post your questions in the forum. It's not just me, the whole community is here and always happy to support you.

Share via

Microsoft Graph API for Sharepoint groups or users

0 additional answers

Your answer