Graph API GET /site/root endpoint has changed permissions

Richard Dunn 6 Reputation points
2023-09-27T10:17:05.57+00:00

At approx. 2023-09-26T18:16:29+01:00 the /site/root endpoint started failing with a 403 and the following body:

{
  code: 'accessDenied',
  message: "Request Doesn't have the required Permission scopes to access a site."
}

Nothing was changed on our end, and it happened to multiple apps simultaneously, so this is almost certainly an undocumented (as far as I can tell) change to the permissions. We have been calling this endpoint a few times per second across a thousands of tenants for the past ~3-4 years.

The documentation specifies "Sites.Read.All" or "Sites.ReadWrite.All" as required application permissions. We have never used those and have been able to call this and other endpoints using, I believe, "Directory.ReadWrite.All".

Granting the documented permissions does resolve the issue, but our business model would require client MSPs reauthenticate tens or even hundreds of their managed clients, one-by-one, so this is something we would like to avoid if possible.

Can someone help me understand what has changed so I can take appropriate action? Thanks.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,046 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. CarlZhao-MSFT 42,031 Reputation points
    2023-09-29T10:23:38.72+00:00

    Hi @Richard Dunn

    I checked the Graph API changelog and didn't see any updates to the permissions for calling the /site/root endpoint.

    I recommend that you open a support ticket with Microsoft Support team to confirm if there are any changes to this API endpoint.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.