Microsoft Graph API for drive Item permissions

Olga Andreeva 126 Reputation points
2024-05-27T12:55:26.3233333+00:00

Hello,

I am using Microsoft Graph API v1.

The setup of my app application:

  1. My users are assigned to Groups that have different permissions(owner and restricted read).
  2. The Groups are assigned to the site.
  3. I need to check the permissions of a particular user to a particular drive item(file) via Microsoft Graph API.

I am using the following option for the permissions:

groups/${groupId}/drive/items/${documentId}?$select=id&$expand=permissions

I get the following result for uses in the "Member" group with restricted read access:


{
  "@odata.context": "@odata.context",
  "@odata.etag": "@odata.etag",
  "id": "id",
  "permissions@odata.navigationLink": "drive/items/id/permissions",
  "permissions": [
    {
      "grantedTo": {
        "user": {
          "displayName": "Owner"
        }
      },
      "id": "id",
      "roles": []
    },
    {
      "grantedTo": {
        "user": {
          "email": "",
          "id": "",
          "displayName": "Member"
        }
      },
      "id": "id",
      "roles": []
    }
  ]
}

When I change the permission of the "Member" group to "read" access, I get the following result:


{
  "@odata.context": "@odata.context",
  "@odata.etag": "@odata.etag",
  "id": "id",
  "permissions@odata.navigationLink": "drive/items/id/permissions",
  "permissions": [
    {
      "grantedTo": {
        "user": {
          "displayName": "Owner"
        }
      },
      "id": "id",
      "roles": []
    },
    {
      "grantedTo": {
        "user": {
          "email": "",
          "id": "",
          "displayName": "Member"
        }
      },
      "id": "id",
      "roles": []
    }
  ]
}

When I change the permission of the "Member" group to "edit" access, I get the following result:

{
  "@odata.context": "@odata.context",
  "@odata.etag": "@odata.etag",
  "id": "id",
  "permissions@odata.navigationLink": "drive/items/id/permissions",
  "permissions": [
    {
      "grantedTo": {
        "user": {
          "displayName": "Owner"
        }
      },
      "id": "id",
      "roles": ["owner"]
    },
    {
      "grantedTo": {
        "user": {
          "email": "",
          "id": "",
          "displayName": "Member"
        }
      },
      "id": "id",
      "roles": ["write"]
    }
  ]
}


I have also tried this endpoint:

groups/${groupId}/drive/items/${documentId}/permissions

It shows the same results: "owner"/"write" roles when a user has a "write" role and an empty string when a user has a read or restricted role.

Could you please advise me on how to get detailed information on what permission the user has?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,499 questions
OneDrive
OneDrive
A Microsoft file hosting and synchronization service.
1,188 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,946 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. RaytheonXie_MSFT 36,576 Reputation points Microsoft Vendor
    2024-05-28T02:56:34.24+00:00

    Currently using Graph API you can use List drive item permissions or List sites permissions.

    GET /sites/{siteId}/drive/items/{itemId}/permissions  
    GET https://graph.microsoft.com/v1.0/sites/{sitesId}/permissions  
    

    To Get permission for SharePoint user is not yet supported. Since this feature/functionality is presently not available, you can upvote this feature request idea using this support link, which will be monitored by Microsoft team and make the enhancements to Microsoft Graph APIs.

    As a workaround, I would recommend you to use following rest api to get the permission

    https://SomeSharepoint.sharepoint.com/sites/test2/_api/web/GetFileByServerRelativeUrl('/sites/test2/SitePages/test1.aspx')?$expand=ListItemAllFields/RoleAssignments/Member,ListItemAllFields/RoleAssignments/RoleDefinitionBindings,ListItemAllFields/RoleAssignments/Member/Users
    
    
    

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.