At approx. 2023-09-26T18:16:29+01:00 the /site/root endpoint started failing with a 403 and the following body:
{
code: 'accessDenied',
message: "Request Doesn't have the required Permission scopes to access a site."
}
Nothing was changed on our end, and it happened to multiple apps simultaneously, so this is almost certainly an undocumented (as far as I can tell) change to the permissions. We have been calling this endpoint a few times per second across a thousands of tenants for the past ~3-4 years.
The documentation specifies "Sites.Read.All" or "Sites.ReadWrite.All" as required application permissions. We have never used those and have been able to call this and other endpoints using, I believe, "Directory.ReadWrite.All".
Granting the documented permissions does resolve the issue, but our business model would require client MSPs reauthenticate tens or even hundreds of their managed clients, one-by-one, so this is something we would like to avoid if possible.
Can someone help me understand what has changed so I can take appropriate action? Thanks.