Share via

MS Graph Permissions for user

Ryan 0 Reputation points
2023-07-26T06:38:47.9733333+00:00

I need to give permission to a service principle using MS Graph for Sites.Selected then give permission to the required sharepoint site.

If I use Graph Explorer, I can give myself permission to Sites.FullControl.All and execute the POST command that gives permission to the service principle to a specific site https://graph.microsoft.com/v1.0/sites/<<siteid>>/permissions

with the required payload.

I want to do this using the az rest command but when I execute the exact same command I get the Forbidden({"error":{"code":"accessDenied","message":"Access denied".....

I'm guessing that I don't have the correct permission to do this, but I've no idea how I assign it to my user account so it applies to Azure CLI, I had assumed that giving consent through the graph permissions panel would be global.

Microsoft 365 and Office SharePoint For business Windows
Microsoft Security Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-07-27T05:35:58.0666667+00:00

    Hi @Ryan

    To grant permission to a service principal using Microsoft Graph and then give permission to the required SharePoint site, you need to ensure that you have the necessary permissions to perform these actions. Here are the steps you can follow to troubleshoot and resolve the "Access denied" issue:

    1. Check Azure CLI login: Before using Azure CLI to execute the az rest command, make sure you have logged in with the correct user account that has the required permissions. Use the az login command to log in with the appropriate user account.
    2. Assign Application Permission: Ensure that the service principal (application) you are using is registered in Azure AD and has been granted the required application permission to perform the necessary actions. You can check this in the Azure AD application registration portal.
    3. Admin Consent: If the service principal requires application permissions (rather than delegated permissions), an administrator must grant consent for the application permissions. You can do this through the Azure AD application registration portal or by using the Azure CLI az ad app permission grant command.
    4. Check Graph API request: Verify that the az rest command you are executing provides the correct URL and payload for the Graph API request. Make sure the request URL and payload are valid and match the required format for the API.
    5. Use Delegated Permissions: If you are working with resources that require user-specific permissions, make sure to use delegated permissions instead of application permissions. Delegated permissions are specific to the signed-in user and are granted during authentication.

    Keep in mind that consent provided through the Graph permissions panel is specific to the signed-in user and may not be sufficient for the Azure CLI. The Azure CLI requires separate authentication and may have its own set of permissions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best Regards

    Cheng Feng

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.