Share via

Site.Selected via Microsoft Graph, Access Denied Despite Global Admin Rights

Alexandra Hooser 0 Reputation points
2025-03-26T14:36:11.56+00:00

Hey everyone,

We have the following problem and are hoping someone can help us with it:

In our company, we want to set up an RAG architecture and use an app-only access to retrieve certain SharePoint data internally. We have already successfully registered an app in Azure, assigned it the Site.Selected permission, and confirmed this as an admin.

We then performed the following steps in Microsoft Graph to assign the app permissions for the specific site:

• Retrieved the SharePoint Site ID using the following GET command with our data: https://graph.microsoft.com/v1.0/sites/CompanyName.sharepoint.com:/sites/SiteName

• Issued a POST request to the following address with the request body and headers: – https://graph.microsoft.com/v1.0/sites/{site-id}/permissions

  • {  "roles": ["read"], 

"grantedToIdentities": [ 

{ "application": 

{ "id": "unsere_app_id", 

"displayName": 

"PSvdLGPT_dev" } } ] 

}

  • Header: 'Content-Type' =  'application/json'

We then received a 403 – Access Denied error for this POST request. After decoding the access token, we noticed that the global admin rights do not appear under the scp permissions. Instead, it only shows: 'scp': 'openid profile Sites.Selected User.Read email'.

Our question is whether we are missing/forgetting something, or whether there is something we can configure/change in Microsoft so that our admins’ rights also appear in Microsoft Graph and can be used for the Site.Selected permission.

Microsoft Security | Microsoft Graph
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rajat Vashistha-MSFT 1,690 Reputation points Microsoft External Staff
    2025-03-26T15:34:21.1+00:00

    Hi Alexandra Hooser,

    Thanks for reaching out to Microsoft!

    Yes, you're correct. The "Access denied" error occurs because your application currently has only the "Sites.Selected" permission. Using a token with this permission alone results in the error. To properly assign the "Sites.Selected" permission, please follow these steps:

    Step 1: Register two applications in your tenant:

    App1: Assign the "Sites.FullControl" application permission.

    App2: Assign the "Sites.Selected" application permission.

    Step 2: Use Postman with the Microsoft Graph API to assign restricted site permissions to App2. Generate a token using App1 and send the following request:

    POST https://graph.microsoft.com/v1.0/sites/{siteId}/permissions
Content-Type: application/json

{ 
  "roles": ["read"],
  "grantedToIdentities": [{
    "application": {
      "id": "App ID of App2",
      "displayName": "Display name of App2"
    }
  }]
}

    Step 3: To verify the permissions have been successfully assigned, generate a token using App2 and use the following API:

    GET https://graph.microsoft.com/v1.0/sites/{siteId}

    For additional details, please refer to the documentation: Develop applications that use Sites.Selected permissions for SPO sites

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    1 person found this answer helpful.
  2. Carolyne-3676 301 Reputation points
    2025-03-27T06:07:37.4+00:00

    While it is important to ensure that you have the Sites.FullControl.All permission for the app registration, also note for Site.Selected permissions, admin consent is required in the case of Application Permissions.
    https://learn.microsoft.com/en-us/graph/permissions-reference#sitesselected

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.