Does Graph API provides an endpoint to "Delete unique permissions" for files and folders

Question

Inside SharePoint Online, we can choose to "Delete unique permissions" for files, items and folders, as follow:-

so does Graph API provides an endpoint to achieve this action?

Answer 1

Hello john john,

Thanks for reaching out!

Yes, the Microsoft Graph API provides an endpoint to delete unique permissions for files, items, and folders in SharePoint Online. You can use the BreakAccessInheritance method to achieve this action.

To delete unique permissions for a specific file, item, or folder, you need to make a POST request to the following endpoint:

POST /sites/{site-id}/drive/items/{item-id}/breakAccessInheritance

Replace {site-id} with the ID of the SharePoint site where the file, item, or folder is located, and replace {item-id} with the ID of the file, item, or folder itself.

Here's an example of how the request can be made using the Microsoft Graph API in PowerShell:

$siteId = "<site-id>"
$itemId = "<item-id>"

$accessToken = "<access-token>"
$baseUrl = "https://graph.microsoft.com/v1.0"
$endpoint = "/sites/$siteId/drive/items/$itemId/breakAccessInheritance"

$headers = @{
    "Authorization" = "Bearer $accessToken"
    "Content-Type" = "application/json"
}

$response = Invoke-RestMethod -Method Post -Uri "$baseUrl$endpoint" -Headers $headers

if ($response.StatusCode -eq 204) {
    Write-Host "Unique permissions deleted successfully."
} else {
    Write-Host "Error deleting unique permissions: $($response.StatusCode) - $($response.StatusDescription)"
}

Make sure to replace <site-id>, <item-id>, and <access-token> with the appropriate values for your scenario.

By using the BreakAccessInheritance method, you can remove unique permissions and revert to the permissions inherited from the parent site.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Answer 2

I was able to get a working solution in February 2025 to remove all anonymous links for a given set of documents in SharePoint. Note that you'll need to export a list of listItem sharepoint IDs to a file first (not the ID property, but the sharepointId property, which is a UUID). If you plan to do ALL documents, you'll need some additional logic to grab that information.#### Important Considerations:

1. Pre-requisites: Ensure you have curl and jq installed on your system.
2. Credentials: You need to replace the template values at the top with actual values from your Azure AD and Microsoft Graph setup.
3. CSV Format: The sharepoint_ids.csv file should contain SharePoint IDs (UUIDs) for the listItems in a single column without headers.
4. Graph Permissions: Make sure your app registration in Azure AD has the necessary API permissions for Files.Read.All and Files.ReadWrite.All scopes delegated.
5. Security: Ensure that you handle the access tokens securely, especially in production systems.

#!/bin/bash
### Important Considerations:
#
# 1. **Pre-requisites**: Ensure you have `curl` and `jq` installed on your system.
# 2. **Credentials**: You need to replace `your-tenant-id`, `your-client-id`,
#    `your-client-secret`, and `your-drive-id` with actual values from your
#    Azure AD and Microsoft Graph setup.
# 3. **CSV Format**: The `sharepoint_ids.csv` file should contain SharePoint
#    IDs (UUIDs) for the listItems in a single column without headers.
# 4. **Graph Permissions**: Make sure your app registration in Azure AD has the
#    necessary API permissions for `Files.Read.All` and `Files.ReadWrite.All`
#    scopes delegated.
# 5. **Security**: Ensure that you handle the access tokens securely, especially
#    in production systems.
tenant="your-sharepoint-tenant"
# Define your environment-specific variables
client_id="your-client-id"
client_secret="your-client-secret"
drive_id="your-drive-id"
resource="https://graph.microsoft.com"
csv_file="sharepoint_ids.csv"
# Get the access token using client credentials flow
get_access_token() {
    response=$(curl -s -X POST -H "Content-Type: application/x-www-form-urlencoded" \
		    -d "client_id=$client_id" \
		    -d "scope=$resource/.default" \
		    -d "client_secret=$client_secret" \
		    -d "grant_type=client_credentials" \
		    https://login.microsoftonline.com/$tenant/oauth2/v2.0/token)
    echo $(echo "$response" | jq -r .access_token)
}
access_token=$(get_access_token)
# Function to delete a permission given its ID
delete_permission() {
    local sharepoint_id=$1
    local permission_id=$2
    echo "[*] Deleting permission $permission_id for item $sharepoint_id"
    curl -s -X DELETE -H "Authorization: Bearer $access_token" \
	 "https://graph.microsoft.com/v1.0/drives/$drive_id/items/$sharepoint_id/permissions/$permission_id"
    echo "    Permission $permission_id deleted."
}
# Iterate over all IDs in the CSV
while IFS=, read -r sharepoint_id; do
    # Fetch permissions for each SharePoint ID
    response=$(curl -s \
		    -H "Authorization: Bearer $access_token" \
		    "https://graph.microsoft.com/v1.0/drives/$drive_id/items/$sharepoint_id/permissions?select=id,link")
    # Extract the permission ID for anonymous link
    permission_id=$(echo "$response" | jq -r '.value[] | select(.link.scope == "anonymous") | .id')
    if [ -n "$permission_id" ]; then
	      delete_permission "$sharepoint_id" "$permission_id"
    else
	      echo "[*] No anonymous permission found for item $sharepoint_id"
    fi
    # Pause between each request to avoid hitting rate limits
    sleep 1
done < "$csv_file"