Share via

Graph Search API returns all sites despite "Sites.Selected" App-Only permission

Ali Jone 20 Reputation points
2026-01-22T03:33:18.8866667+00:00

Context:

I am using an Azure AD App Registration with the Sites.Selected application permission. My goal is to limit the application's access to specific SharePoint sites only.

Configuration:

I assigned the Sites.Selected permission to the app (App ID: [App-ID]).

I successfully granted write (FullControl) access to specific sites using the Permissions endpoint.

Request to grant permission:

POST https://graph.microsoft.com/v1.0/sites/[Site-ID]/permissions
{
  "roles": ["fullcontrol"],
  "grantedToIdentities": [
    {
      "application": {
        "id": "[App-ID]",
        "displayName": "test-site.selected-permission"
      }
    }
  ]
}

Testing Standard Endpoints (Working as expected):

When I call GET https://graph.microsoft.com/v1.0/sites, I get an empty value list, or only the specific site, which is expected behavior for Sites.Selected.

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites",
    "value": []
}

When I try to access users via /users, I get Authorization_RequestDenied, which is also expected.

The Issue (Search API):

When I use the Search API, the application returns all sites in the tenant, ignoring the Sites.Selected restriction.

Request:

POST https://graph.microsoft.com/v1.0/search/query 
Content-Type: application/json

{
    "requests": [
        {
            "entityTypes": [ "site" ],
            "query": {
                "queryString": "(contentclass:STS_Site OR contentclass:STS_Web)"
            },
            "region": "US" 
        }
    ]
}

Response (Unexpected):

It returns a total of ~1300 results, including sites I have not explicitly granted access to.

{
    "value": [
        {
            "hitsContainers": [
                {
                    "hits": [
                        {
                            "hitId": "[Site-ID-1]",
                            "resource": {
                                "displayName": "Policy_FE_Automation_Site",
                                "webUrl": "https://[Tenant].sharepoint.com/sites/Policy_FE_Automation_Site"
                            }
                        },
                        {
                            "hitId": "[Site-ID-2]",
                            "resource": {
                                "displayName": "Restricted_Site_Example",
                                "webUrl": "https://[Tenant].sharepoint.com/sites/Restricted_Site_Example"
                            }
                        }
                        // ... returns 1349 results
                    ],
                    "total": 1349,
                    "moreResultsAvailable": true
                }
            ]
        }
    ]
}

Token Analysis:

I inspected my Access Token. I noticed a wids (Workload ID) claim, but I have not assigned any Directory Roles (like SharePoint Admin) to this application manually, only the API Permission Sites.Selected.

Decoded Token (Relevant parts):

{
  "aud": "https://graph.microsoft.com",
  "roles": [
    "Sites.Selected"
  ],
  "wids": [
    "0997a1d0-0d1d-4acb-b408-d5ca73121e90" 
  ],
  "idtyp": "app"
}

Questions:

Is it expected behavior that the Microsoft Graph Search API (/search/query) bypasses Sites.Selected restrictions and exposes the existence of all sites?

Does Sites.Selected only apply to direct GET requests (e.g., /sites/{id}) and not the Search index?

Could the wids claim 0997a1d0-0d1d-4acb-b408-d5ca73121e90 be overriding the permission scope? If so, where does this come from if I haven't assigned a Directory Role?

Any guidance on how to restrict Search results to only the sites defined in Sites.Selected would be appreciated.

Microsoft 365 and Office | SharePoint | Development
0 comments

Answer accepted by question author

  1. Teddie-D 15,710 Reputation points Microsoft External Staff Moderator
    2026-01-22T06:24:37.49+00:00

    Hi @Ali Jone 

    Thank you for posting your question in the Microsoft Q&A forum. 

    Based on this documentation Use the Microsoft Search API to query data - Microsoft Graph v1.0 | Microsoft Learn. Sites.Selected is not listed under the permission scopes. The documentation also notes that the Search API does not support the site-level search schema. Instead, it uses the tenant-level or default search schema. 

    Therefore, the behavior you observed is expected. The Microsoft Graph Search API (/search/query) does not enforce Sites.Selected in app-only scenarios. Search always operates against the tenant-wide SharePoint search index, and Sites.Selected is not evaluated at query time. 

    Sites.Selected applies only to SharePoint site APIs, such as: 

    • /sites/{id} 
    • /sites/{id}/drives 
    • /sites/{id}/lists 
    • /sites/{id}/permissions 

    It does not apply to: 

    • /search/query (Graph Search) 
    • SharePoint legacy search API /_api/search/query 

    About the wids claim: 

    -The wids claim does not grant SharePoint permissions and does not override Sites.Selected.

    -It represents internal workload identity classifications automatically included in app-only access tokens.

    -These are not Microsoft Entra directory roles, do not grant access to SharePoint content, and do not affect Search API scope.

    -There is no evidence in Microsoft documentation or support cases that the wids claim overrides Sites.Selected or changes SharePoint authorization behavior.

    There is currently no supported way to enforce Sites.Selected restrictions on Microsoft Graph Search. 

    You can use Drive or List APIs: 

    • GET /sites/{site-id}/drives/{drive-id}/root/children 
    • GET /sites/{site-id}/lists/{list-id}/items?$filter=... 

    These endpoints respect Sites.Selected, but they do not support full-text search. 

    I hope this information is helpful.  

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

    Was this answer helpful?

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.