How to check if a user have access to particular SharePoint site Using Graph API ?

Question

How to check if a user have access to particular SharePoint site Using Graph API ?

Justin Philip 20

I just wanted to check if a user have access to a particular SharePoint using Graph API. Earlier it is done by SharePoint API using GetUserEffectivePermissions methods. But when migrate to Graph I didn't find out any solution for this. I am working in .NET application.

Accepted answer

1 additional answer

Your answer

Answer 1

Hi Justin Philip
Welcome to Microsoft Q&A Forum!
Thank you for reaching out and sharing the challenge you're facing with checking user access to a SharePoint site using Graph API. I understand how important it is to ensure a smooth transition from SharePoint API, especially when working within a .NET application.

To better assist you, could you please clarify a few details:

Are you trying to verify access for a specific user or a group of users?
Is the SharePoint site part of a team site, communication site, or another type?
What level of access are you aiming to check (e.g., read, write, full control)?
Are you looking for a programmatic solution that returns a Boolean result or detailed permission metadata?

Your input will help us explore the most suitable approach or workaround using Graph API, and ensure it aligns with your application’s requirements.

Looking forward to your response.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Justin Philip 20

Hi Nghia-P

please find below the clarifications for your question.

-I am checking access for a specific user. Whether the user is present in the particular site or check the groups associated with the site.

-This is a Team site.

-I am looking for the user has minimum read-only access.

-I am looking for a programmatic solution that returns a Boolean result only

Nghia-P 1,470 Reputation points Microsoft External Staff Moderator

2025-07-02T09:33:57.2933333+00:00
Hi Justin Philip

Welcome to Microsoft Q&A Forum!

Thank you for your detailed clarification regarding your requirement to check whether a specific user has access to a SharePoint Team Site.

Currently, Microsoft Graph API does not support retrieving effective permissions for individual users in the same way that SharePoint REST API does (e.g., via GetUserEffectivePermissions). This limitation means we cannot directly query the exact permission level of a user on a site using Graph alone.

However, based on the structure of your Team Site which is backed by a Microsoft 365 Group We can implement a workaround that satisfies your requirement. Specifically, we can check whether the user is a member of the Microsoft 365 Group associated with the site. All members of this group automatically have at least read-only access to the Team Site.

This approach is simple and effective, but please note the following important caveat:

It does not detect users who were manually granted access to the site outside of the group (e.g., via direct sharing or SharePoint groups). Therefore, if you plan to rely on this method long-term, we recommend ensuring that all users who need access are added to the Microsoft 365 Group.

We believe this solution meets your current needs and can be implemented programmatically to return a Boolean result (true if the user has access, false otherwise).

Step-by-Step Solution

Step 1: Get the Group ID linked to the SharePoint Site

Make the following Graph API call:

GET https://graph.microsoft.com/v1.0/sites/{tenant}.sharepoint.com:/sites/{site-name}

Step 2: Check if the user is a member of that Group

Once you have the Group ID, call this endpoint to see if the user is a member:

GET https://graph.microsoft.com/v1.0/groups/{group-id}/members?$filter=userPrincipalName eq '******@yourdomain.com'

If this call returns any item(s), the user is a group member ⇒ they have access ⇒ return "true".

If the list is empty ⇒ user is not a member ⇒ return "false".

Example in C# (.NET)

using Microsoft.Graph; using Azure.Identity; using System; using System.Linq; using System.Threading.Tasks; class Program { static async Task Main(string[] args) { // Replace with your actual values var tenantId = "YOUR_TENANT_ID"; var clientId = "YOUR_CLIENT_ID"; var clientSecret = "YOUR_CLIENT_SECRET"; var siteId = "YOUR_SITE_ID"; // Format: domain,site-guid,web-guid var userEmail = "******@yourdomain.com"; var credential = new ClientSecretCredential(tenantId, clientId, clientSecret); var graphClient = new GraphServiceClient(credential); // Step 1: Get the site and its associated group var site = await graphClient.Sites[siteId].Request().GetAsync(); var groupId = site?.Group?.Id; if (string.IsNullOrEmpty(groupId)) { Console.WriteLine("No Microsoft 365 Group associated with this site."); return; } // Step 2: Check if the user is a member of the group var members = await graphClient.Groups[groupId].Members .Request() .Filter($"userPrincipalName eq '{userEmail}'") .GetAsync(); bool hasAccess = members.Count > 0; Console.WriteLine($"User has access: {hasAccess}"); } }

Replace {group-id} and ******@yourdomain.com with your actual values

Returns: true → If the user is in the Microsoft 365 Group associated with the Team Site → This confirms the user has access to the site (at least read access).

false → If the user is not in the Group → This does not guarantee the user does not have permissions, as they may have been granted permissions manually (outside the group), but this does not check.

Just a quick reminder:

If the site grants access outside of the group (e.g. direct sharing with specific users), this method will not detect those cases. If you need deeper permission analysis, you would need to fall back to SharePoint REST API (_api/web/GetUserEffectivePermissions) as Graph API doesn't yet provide effective permission data.

While this may currently be the most effective approach available through Microsoft Graph API, we understand that it doesn’t yet provide the same level of detailed permission visibility as the SharePoint REST API especially when it comes to checking user-specific access granted outside of Microsoft 365 Groups. Your feedback is genuinely appreciated and plays an important role in helping Microsoft evolve Graph API toward a more complete and flexible solution for permission management in the future.

If I’ve misunderstood any part of your request or if anything remains unclear, please feel free to let me know. I’ll be happy to clarify or assist further.

If my answer has been even partially helpful, please consider marking it as “Accepted Answer” so others facing similar issues can find it more easily.
Nghia-P 1,470 Reputation points Microsoft External Staff Moderator

2025-07-07T05:35:58.3066667+00:00

Hi @Justin Philip

Have a good day and i wanted to check in and see if the information above was helpful to you.

If you have any updates or further questions, please feel free to share.

And if my reply helped resolve your issue, kindly consider marking it as “Accepted Answer”. Thank you so much!
Nghia-P 1,470 Reputation points Microsoft External Staff Moderator

2025-07-09T06:13:11.8766667+00:00

Hi @Justin Philip,

Have a good day!

We’d love to hear back from you whenever you're ready. If there’s any update, please don’t hesitate to let us know.

Share via

How to check if a user have access to particular SharePoint site Using Graph API ?

1 additional answer

Your answer