Share via

Is there a way of extracting the WebURL for a unified group using Graph

TSOAdmin 416 Reputation points
2025-05-15T19:35:35.5+00:00

I would like to use Graph to extract the SharePoint site information from a group of type Unified, once I obtain an instance of that group.

According to Copilot Chat, the WebURL of a unified group can be extracted from the group object, using Graph PowerShell, like so:

  1. Connect-MgGraph -Scopes "Group.Read.All", "Sites.Read.All
  2. $group = Get-MgGroup -GroupId "GroupID"
  3. $Site=Get-MgGroupSite -GroupId $group.Id

from which I can then extract these properties:

User's image

Lines 1 and 2 above complete without issue. However, executing line 3 returns:

Get-MgGroupSite : Access denied

Status: 403 (Forbidden)

ErrorCode: accessDenied

...

The Microsoft Learn page on the Get-MgGroupSite command does not provide any examples. What could be the issue?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
25,048 questions
0 comments
Accepted answer
  1. SrideviM 5,470 Reputation points Microsoft External Staff Moderator
    2025-05-19T07:07:13.3133333+00:00

    Hello Stephan Bren,

    I understand you are trying to get the SharePoint webUrl of a Microsoft 365 (Unified) group using Microsoft Graph PowerShell. The first two steps in your example are correct, but the third line fails due to how Get-MgGroupSite behaves when no site ID is provided.

    Initially, I too got same error when I ran your commands without passing site ID:

    Connect-MgGraph -Scopes "Group.Read.All", "Sites.Read.All"
$group = Get-MgGroup -GroupId "xxxxxxxxxxxxxx"
$Site=Get-MgGroupSite -GroupId $group.Id

    User's image

    When this command is run without -SiteId, it internally calls the getAllSites() API. You can confirm this behavior by adding the -Debug switch:

    $Site=Get-MgGroupSite -GroupId $group.Id -Debug

    User's image

    This particular API requires application permissions and does not work with user-based (delegated) permissions. That’s why it returns a 403 Access Denied. Check this MS Article.

    To retrieve the group's primary SharePoint site using delegated permissions, you can call the /sites/root endpoint directly like this:

    Connect-MgGraph -Scopes "Group.Read.All", "Sites.Read.All"
$groupId = "<your-group-id>"
$site = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/groups/$groupId/sites/root"
$site.webUrl

    User's image

    If you already know the site's name or relative path, another option is to use Get-MgSite to retrieve the site ID and then pass it into Get-MgGroupSite. This skips the getAllSites() call and works correctly with delegated access:

    $site = Get-MgSite -SiteId "yourtenant.sharepoint.com:/sites/yourgroupname:"
$groupSite = Get-MgGroupSite -GroupId $groupId -SiteId $site.Id
$groupSite.WebUrl

    User's image

    Let me know if you have further queries. Hope this helps!

    If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

    User's image

    If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.