Graph API - SharePoint Site Permissions - Operation Not Supported

Bunting (US), Moses 6 Reputation points

Referencing, I'm trying to list permissions on a SharePoint site. The site in question does not inherit permissions from its parent.

I'm able to get the site using GET{site-id} and see the results. I'm also able to see other relationships, e.g. /lists, /sites, etc, to see other information.

When I try to list the permissions using GET{site-id}/permissions per the documentation link above, I get 400 - Bad Request response saying operation not supported.

I'm using the composite site id (host name, site collection guid, site guid) for all calls.

Any assistance is greatly appreciated.

Microsoft Graph Site Lists API
Microsoft Graph Site Lists API
A Microsoft API that "supports access to SharePoint sites, lists, and drives; read-only support for site resources; read-write support for lists, listItems, and driveItems; and address resources by SharePoint ID, URL, or relative path.
328 questions
{count} vote

5 answers

Sort by: Most helpful
  1. Danstan Onyango 3,246 Reputation points

    List Site Permissions unlike Get Site does not support delegated permissions on work and school accounts. This could be why you are getting Not Supported. Please check your permissions and see if it works with Application permissions. Try on Graph Explorer after selecting Sites.FullControl.All which requires admin consent.

    1 person found this answer helpful.

  2. suresh yadaw 1 Reputation point

    I'm also unable to get the site's permissions. Below are the steps which I followed : 1. Get the root site by {MSURL}/v1.0/sites/root/ 2. Get the id from step 1 and try to get root site permission by {MSURL}/sites/{siteId}/permissions Response: 200 { "@odata.context": "{MSURL}$metadata#sites('siteId')/permissions", "value": [] } 3. Now, I tried to list all the sites available by using {MSURL}/sites/{siteId}/sites Response was 200 and I got a list of sites. Perfect! 4. After that I tied to get any site's permission by using 4.a. Using: {MSURL}/sites/{anySiteId}/permissions Response 400 "error": "code": "notSupported", "message": "Operation not supported",

    4.b. Using: {MSURL}/sites/{siteId}/site/{anySiteId}/permissions Response 400 "error": code":"BadRequest", "message":"Resource not found for the segment 'site'."

    0 comments No comments

  3. suresh yadaw 1 Reputation point

    As mentioned by @Danstan and I also verified that Graph API is not returning the site's permission.
    So, @Bunting (US), Moses or whoever is looking for an alternate solution to this issue.
    And the solution to get a site's permission or the groups and members of the site is by using Microsoft.SharePoint.Client.

    Code example(

    //Get Site Url fro user      
                Console.Write("Enter Site URL: ");    
                string strURL = Console.ReadLine();    
                //Get Username from user in the format of (Domain/Login ID)      
                Console.Write("Enter UserName (domain/userid): ");    
                string strUserName = Console.ReadLine();    
                Console.Write("Enter your password: ");    
                string pass = getPassword();    
                ClientContext ctx = new ClientContext(strURL);    
                ctx.Credentials = new NetworkCredential(strUserName, pass);    
                Web web = ctx.Web;    
                //Parameters to receive response from the server      
                //SiteGroups property should be passed in Load method to get the collection of groups      
                ctx.Load(web, w => w.Title, w => w.SiteGroups);    
                GroupCollection groups = web.SiteGroups;    
                Console.WriteLine("Groups associated to the site: " + web.Title);    
                Console.WriteLine("Groups Count: " + groups.Count.ToString());    
                foreach(Group grp in groups)    

  4. Kathy Blasco 101 Reputation points

    @suresh yadaw , @Danstan
    I have also tried to use this Get for site permissions in PowerShell and I do get a 200 response but it does not list the permissions like the documentation states. I also need all of the permissions, SharePoint groups, users, and Office 365 groups.

    My Azure application does have Sites.FullControl.All and is granted by admin.

    I am using the following to connect:

    Connect-PnPOnline -Url -ClientId HIDDEN -Tenant "" -Thumbprint HIDDEN  

    Then these statements to gather the permissions for the site:

    $baererToken = (Get-PnPGraphAccessToken)  
    $headers = @{ Authorization=("Bearer " + $baererToken) }  
    $webRequest = Invoke-WebRequest –Uri "" –Method Get -Headers $headers  

    The following is what is returned and this is also what is returned when I use Graph Explorer:

    StatusCode : 200
    StatusDescription : OK
    Content : {"@odata.context":"$metadata#sites('')/permissions","value":[]}
    RawContent : HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Strict-Transport-Security: max-age=31536000
    request-id: HIDDEN
    client-request-id: HIDDEN
    Forms : {}
    Headers : {[Transfer-Encoding, chunked], [Strict-Transport-Security, max-age=31536000], [request-id,
    HIDDEN], [client-request-id, HIDDEN]...}
    Images : {}
    InputFields : {}
    Links : {}
    ParsedHtml : mshtml.HTMLDocumentClass
    RawContentLength : 203

    Executing the following:

    $webRequest = Invoke-WebRequest –Uri "" –Method Get -Headers $headers  

    Actually returns what I would expect for this request.

  5. NITESH RANJAN 1 Reputation point

    Graph API currently doesn't have site permission end points. Alternatively we can try to use REST end points.

    _api/web/SiteGroups/GetByName('Group Name')/Users
    _api/web/SiteGroups/GetById(3)/Users?$filter=Email eq 'UserEmail@tiedtlaw email .com'

    0 comments No comments