I'm trying to use Microsoft Graph API in Powershell to pull a list of sharepoint sites a user is Owner of but I am getting a (403) Forbidden error

Question

I'm trying to use Microsoft Graph API in Powershell to pull a list of sharepoint sites a user is Owner of but I am getting a (403) Forbidden error

Joe Moorcroft 5

I've created an App in Entra so I can use it to give me a list of sharepoint sites a certain user is owner of. I have used Copilot to help me write the powershell script and I have all the needed permissions on my account to do what I need.

Soon as I run the script, I get the following error:

Invoke-RestMethod : The remote server returned an error: (403) Forbidden.

At line:26 char:20

... teDetails = Invoke-RestMethod -Method Get -Uri "https://graph.microso ...
```
            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
- FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

Now I'm new to this stuff so I don't quite get it entirely so I've come here to see if someone could help me figure this out. If I need to supply more info then let me know.

Thank you

2 answers

Your answer

Answer 1

Vasil Michev 119.5K MVP Volunteer Moderator

Share the script please. When it comes to the Graph SDK, the most important thing is permissions. You need to specify which permissions are needed, and provide consent for them as part of the connectivity process. Something like this:

Connect-MgGraph -Scopes Users,Read,All,Sites.Read.All

The exact permissions will depend on the cmdlets leveraged in the script.

Another thing to note is that it comes to enumerating SharePoint Online sites, currently only application permissions are supported. You cannot connect as a user that is, you need to run the cmdlet via service principal. See this article for details: https://learn.microsoft.com/en-us/powershell/microsoftgraph/app-only?view=graph-powershell-1.0

Joe Moorcroft 5

Hi This is the script I've been trying to use:

# Define variables
$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"
$userEmail = "user@example.com"

# Get an access token
$body = @{
    grant_type    = "client_credentials"
    scope         = "https://graph.microsoft.com/.default"
    client_id     = $clientId
    client_secret = $clientSecret
}
$tokenResponse = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $body
$accessToken = $tokenResponse.access_token

# Get all sites
$headers = @{
    Authorization = "Bearer $accessToken"
}
$sites = Invoke-RestMethod -Method Get -Uri "https://graph.microsoft.com/v1.0/sites?search=*" -Headers $headers

# Filter sites where the user is an owner
$userOwnedSites = @()
foreach ($site in $sites.value) {
    $siteDetails = Invoke-RestMethod -Method Get -Uri "https://graph.microsoft.com/v1.0/sites/$($site.id)?$select=*,drive&$expand=drive" -Headers $headers
    if ($siteDetails.drive.owner.user.email -eq $userEmail) {
        $userOwnedSites += $siteDetails.webUrl
    }
}

# Output the list of sites where the user is an owner
$userOwnedSites

These are the current permissions for the registered app:

User's image

Am I missing something simple or is there something fundamental that I haven't included?

Thanks

Vasil Michev 119.5K Reputation points MVP Volunteer Moderator

2025-02-14T07:05:44.31+00:00

This sample should work fine, you have all the necessary permissions. Make sure your token hasn't expired. And make sure to check any calls made outside of the above, as you don't seem to be sharing the full script.
Joe Moorcroft 5 Reputation points

2025-02-14T09:26:54.03+00:00

The only other call above what I posted is the below:

Install-Module Microsoft.Graph

I'm still getting the same error, so I'm a bit stuck now
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator

2025-02-14T10:00:09.93+00:00

Decode your access token ($accessToken) via jwt.ms and make sure the permissions above are correctly reflected.

The other thing that comes to mind is your application being restricted by Sites.Selected permissions. To check for that, you need to be able to enumerate site permissions, so you either need a different app, or a user with SPO admin permissions to call /sites/{siteid}/permissions.
Joe Moorcroft 5 Reputation points

2025-02-14T11:21:21.2166667+00:00

I have decoded my access token and I can see all the permissions within that so that looks okay on that front.

How would I go about enumerating site permissions?

Thanks Vasil so far for the help
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator

2025-02-14T18:36:14.07+00:00

On the site you are trying to access, query the /permissions endpoint via user (or app) with Sites.FullControl.All permission. Do not use the app above, as it doesn't seem to work anyway.

Here's a post I did a while back on how the Sites.Selected permissions work, including the potential 403 errors it can cause: https://www.michev.info/blog/post/3256/limiting-access-to-sharepoint-online-resources-via-the-graph-api

Answer 2

CarlZhao-MSFT 46,366

Hi @Joe Moorcroft

Are there any other API calls in the current context? Try adding the Directory.ReadWrite.All application permission and retry.

User's image

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Joe Moorcroft 5 Reputation points

2025-02-14T09:28:07.1866667+00:00

Hi!

I have added that app permission and I still get the same 403 Forbidden error as pasted above.

Do you have any other suggestions?

Thanks

Share via

I'm trying to use Microsoft Graph API in Powershell to pull a list of sharepoint sites a user is Owner of but I am getting a (403) Forbidden error

2 answers

Your answer