Share via

How to Access SharePoint REST API Using Azure AD App (Client ID & Secret) with Sites.FullControl Permission?

Aravind 0 Reputation points
2025-11-24T12:49:16.3633333+00:00

I’m trying to use the SharePoint REST API (_api) to retrieve site permissions, site groups, and identify site owners for SharePoint sites that are not group-connected.

I’ve registered an Azure AD app and granted SharePoint API permissions with Sites.FullControl.All. I’m using the app’s client ID and client secret to acquire an access token, but when I call the REST API, I get the error:

Unsupported app only token.

I cannot use Microsoft Graph because it doesn’t provide an endpoint for this scenario. My goal is to integrate with ServiceNow to fetch site owners for non-group-connected sites.

Questions:

  • Is it possible to use SharePoint REST API with an app-only token for this purpose?
  • If yes, what is the correct approach or configuration to make this work?
  • If not, what alternatives exist for retrieving site owners for non-group-connected sites?

Endpoints we tried / plan to use:

  • /_api/web/sitegroups → Lists all site groups.
  • /_api/web/roleassignments → Shows role assignments for groups and users.
  • /_api/web/roleassignments?$expand=Member,RoleDefinitionBindings → To get detailed permissions.

Goal:

  • Identify site owners for non-group-connected sites.
  • Integrate this data with ServiceNow.

Any guidance or examples would be greatly appreciated.

Microsoft 365 and Office | SharePoint | Development
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-24T12:49:32.89+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Yes, it is possible to use the SharePoint REST API with an app-only token for your purpose, but there are specific configurations and permissions that must be in place to avoid the "Unsupported app only token" error.

    Steps to Access SharePoint REST API Using Azure AD App:

    1. Ensure Correct Permissions: Make sure that your Azure AD app has been granted the Sites.FullControl.All permission. This permission allows the app to have full control over all site collections without a signed-in user.
    2. Grant Admin Consent: After assigning the permissions, ensure that admin consent is granted for the permissions. This is crucial for app-only access.
    3. Acquire Access Token: Use the client ID and client secret to acquire an access token. Make sure you are requesting the token for the SharePoint resource. The token request should look something like this: 
         POST https://accounts.accesscontrol.windows.net/{tenant_id}/tokens/OAuth/2
   Content-Type: application/x-www-form-urlencoded
   
   grant_type=client_credentials
   &client_id={client_id}
   &client_secret={client_secret}
   &resource=https://{your_tenant}.sharepoint.com/
    4. Call the SharePoint REST API: Once you have the access token, include it in the Authorization header when making requests to the SharePoint REST API. For example: 
         GET https://{your_tenant}.sharepoint.com/_api/web/sitegroups
   Authorization: Bearer {access_token}

    Common Endpoints to Use:

    • /_api/web/sitegroups to list all site groups.
    • /_api/web/roleassignments to show role assignments for groups and users.
    • /_api/web/roleassignments?$expand=Member,RoleDefinitionBindings to get detailed permissions.

    Troubleshooting Tips:

    • If you still encounter the "Unsupported app only token" error, double-check that the permissions are correctly set and that admin consent has been granted.
    • Ensure that the app is not trying to access resources that require user context, as app-only tokens cannot impersonate users.

    Alternatives:

    If the above approach does not work, consider using Microsoft Graph API for other scenarios, but since you mentioned it does not cover your specific needs, you may need to rely on SharePoint REST API and ensure all permissions are correctly configured.

    References:

  2. Jayden-P 12,230 Reputation points Microsoft External Staff Moderator
    2025-11-24T14:18:56.0166667+00:00

    Hi @Aravindmunna

    Thank you for posting your question in the Microsoft Q&A forum.

    Based on my research, yes, you can call SharePoint Online REST (_api) with an app‑only token and read site groups/role assignments to identify owners for non‑group‑connected sites.

    Double check if you have this property disabled, make sure it is set to false.

    Connect-SPOService -Url https://<tenant>-admin.sharepoint.com 
Set-SPOTenant -DisableCustomAppAuthentication $false

    I have done some further research; here is what I found.

    You can try using SharePoint PowerShell with -GroupIdDefined. If the property returns true, it is connected to a M365 group.

    Get-SPOSite (Microsoft.Online.SharePoint.PowerShell) | Microsoft Learn

    I hope this information helps.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.