Share via

Call Graph API using the Azure Function managed identity is raising this error "Acces Denied"

john john Pter 1,040 Reputation points
2025-04-20T23:52:47.0666667+00:00

We have an azure function developed using .net core 8.0. and we enabled the managed identity of the azure function, then we run those commands as per this official MS link https://learn.microsoft.com/en-us/sharepoint/dev/apis/webhooks/sharepoint-webhooks-using-azd-template#grant-the-function-app-access-to-sharepoint-online:-

Power shell command:-

# This script requires the modules Microsoft.Graph.Authentication, Microsoft.Graph.Applications, Microsoft.Graph.Identity.SignIns, which can be installed with the cmdlet Install-Module below:
# Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.Applications, Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Repository PSGallery -Force
Connect-MgGraph -Scope "Application.Read.All", "AppRoleAssignment.ReadWrite.All"
$managedIdentityObjectId = "d3e8dc41-94f2-4b0f-82ff-ed03c363f0f8" # 'Object (principal) ID' of the managed identity
$scopeName = "Sites.Selected"
$resourceAppPrincipalObj = Get-MgServicePrincipal -Filter "displayName eq 'Office 365 SharePoint Online'" # SPO
$targetAppPrincipalAppRole = $resourceAppPrincipalObj.AppRoles | ? Value -eq $scopeName

$appRoleAssignment = @{
    "principalId" = $managedIdentityObjectId
    "resourceId"  = $resourceAppPrincipalObj.Id
    "appRoleId"   = $targetAppPrincipalAppRole.Id
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentityObjectId -BodyParameter $appRoleAssignment | Format-List

and this pnp command:-

Connect-PnPOnline -Url "https://YOUR_SHAREPOINT_TENANT_PREFIX.sharepoint.com/sites/YOUR_SHAREPOINT_SITE_NAME" -Interactive -ClientId "YOUR_PNP_APP_CLIENT_ID"`

Grant-PnPAzureADAppSitePermission -AppId "3150363e-afbe-421f-9785-9d5404c5ae34" -DisplayName "YOUR_FUNC_APP_NAME" -Permissions Manage

here is the code for the azure function, which uses the login user credential if i am inside development machine and uses the azure function managed identity on the hosted app:-

if (Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT") == "Development")`
          {

               var credential = new InteractiveBrowserCredential(); // or AzureCliCredential

                graphClient = new GraphServiceClient(credential);

            }

           else

            {

                var credential = new DefaultAzureCredential(); // Managed Identity

                graphClient = new GraphServiceClient(credential);

                var token = await new DefaultAzureCredential().GetTokenAsync(

    new TokenRequestContext(new[] { "https://graph.microsoft.com/.default" })

);

                _logger.LogInformation("Token acquired: " + token.Token.Substring(0, 20) + "...");

            }

            //Call to get the "Call Transfer Log Data" sharepoint list data`

            try

            {

               await SQLInteraction(new Log { Status = "Starting Call Transfer Log Data TimeJob Execution" }, true);

                //////`

                ///`

                var sitePath = "e**87";

                var listId = "6*`*`*`*`";

                var allItems = new List<ListItem>();

              var oneWeekAgo = DateTime.UtcNow.AddDays(-7).ToString("o");

               // Initial page request with Expand = fields

                var page = await graphClient

                  .Sites[sitePath]

                   .Lists[listId]
                    .Items
                    .GetAsync(config =>
                    {

                        config.QueryParameters.Top = 100;
                        config.QueryParameters.Expand = new string[]

        { "fields($select=*)" };

                    });

                allItems.AddRange(page?.Value ?? []);

Then i verified the setting, but running this command:-

Get-PnPAzureADAppSitePermission -Site "<Site URL>"

and i got this result:-

Id : ***...-....

Roles : {Manage}

App : Microsoft.Azure.Functions – 3150363e-afbe-421f-9785-9d5404c5ae34

now on development environment the code is working, while on the hosted azure function, the code raised:-

Access Denied

any advice? as seems i did all the needed settings

Thanks

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,909 questions
Accepted answer
  1. RithwikBojja 3,055 Reputation points Microsoft External Staff Moderator
    2025-04-25T15:53:40.5566667+00:00

    Hi @john john Pter ,

    Call Graph API using the Azure Function managed identity is raising this error "Acces Denied"

    The error saying that you do not have full permissions to query the SharePoint list.

    You have to also give below permission so that you can access the sharepoint list:

    Sites.FullControl.All

    enter image description here

    Now after giving the baove Role, you can access the SharePoint List.

    If this answer was helpful, please click "Accept the answer" and mark Yes, as this can help other community members.

    enter image description here

    If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.