Graph API - SharePoint Site Permissions - Operation Not Supported

Question

Referencing https://learn.microsoft.com/en-us/graph/api/site-list-permissions?view=graph-rest-1.0&tabs=http, I'm trying to list permissions on a SharePoint site. The site in question does not inherit permissions from its parent.

I'm able to get the site using GET https://graph.microsoft.com/v1.0/sites/{site-id} and see the results. I'm also able to see other relationships, e.g. /lists, /sites, etc, to see other information.

When I try to list the permissions using GET https://graph.microsoft.com/v1.0/sites/{site-id}/permissions per the documentation link above, I get 400 - Bad Request response saying operation not supported.

I'm using the composite site id (host name, site collection guid, site guid) for all calls.

Any assistance is greatly appreciated.

Answer 1

List Site Permissions unlike Get Site does not support delegated permissions on work and school accounts. This could be why you are getting Not Supported. Please check your permissions and see if it works with Application permissions. Try on Graph Explorer after selecting Sites.FullControl.All which requires admin consent.

Answer 2

I'm also unable to get the site's permissions. Below are the steps which I followed : 1. Get the root site by {MSURL}/v1.0/sites/root/ 2. Get the id from step 1 and try to get root site permission by {MSURL}/sites/{siteId}/permissions Response: 200 { "@odata.context": "{MSURL}$metadata#sites('siteId')/permissions", "value": [] } 3. Now, I tried to list all the sites available by using {MSURL}/sites/{siteId}/sites Response was 200 and I got a list of sites. Perfect! 4. After that I tied to get any site's permission by using 4.a. Using: {MSURL}/sites/{anySiteId}/permissions Response 400 "error": "code": "notSupported", "message": "Operation not supported",

4.b. Using: {MSURL}/sites/{siteId}/site/{anySiteId}/permissions Response 400 "error": code":"BadRequest", "message":"Resource not found for the segment 'site'."

Answer 3

As mentioned by @Danstan and I also verified that Graph API is not returning the site's permission.
So, @Bunting (US), Moses or whoever is looking for an alternate solution to this issue.
And the solution to get a site's permission or the groups and members of the site is by using Microsoft.SharePoint.Client.

Code example(https://www.c-sharpcorner.com/blogs/get-available-site-groups-using-csom1):

//Get Site Url fro user      
            Console.Write("Enter Site URL: ");    
            string strURL = Console.ReadLine();    
    
            //Get Username from user in the format of (Domain/Login ID)      
            Console.Write("Enter UserName (domain/userid): ");    
            string strUserName = Console.ReadLine();    
    
            Console.Write("Enter your password: ");    
            string pass = getPassword();    
            Console.WriteLine();    
    
            ClientContext ctx = new ClientContext(strURL);    
            ctx.Credentials = new NetworkCredential(strUserName, pass);    
            Web web = ctx.Web;    
            //Parameters to receive response from the server      
            //SiteGroups property should be passed in Load method to get the collection of groups      
            ctx.Load(web, w => w.Title, w => w.SiteGroups);    
            ctx.ExecuteQuery();    
    
            GroupCollection groups = web.SiteGroups;    
                
            Console.WriteLine("Groups associated to the site: " + web.Title);    
            Console.WriteLine("Groups Count: " + groups.Count.ToString());    
            foreach(Group grp in groups)    
            {    
                Console.WriteLine(grp.Title);    
            }    

Answer 4

@suresh yadaw , @Danstan
I have also tried to use this Get for site permissions in PowerShell and I do get a 200 response but it does not list the permissions like the documentation states. I also need all of the permissions, SharePoint groups, users, and Office 365 groups.

My Azure application does have Sites.FullControl.All and is granted by admin.

I am using the following to connect:

Connect-PnPOnline -Url https://HIDDEN.sharepoint.com/ -ClientId HIDDEN -Tenant "HIDDEN.onmicrosoft.com" -Thumbprint HIDDEN  

Then these statements to gather the permissions for the site:

$baererToken = (Get-PnPGraphAccessToken)  
$headers = @{ Authorization=("Bearer " + $baererToken) }  
$webRequest = Invoke-WebRequest –Uri "https://graph.microsoft.com/v1.0/sites/HIDDEN/permissions" –Method Get -Headers $headers  

The following is what is returned and this is also what is returned when I use Graph Explorer:

StatusCode : 200
StatusDescription : OK
Content : {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#sites('HIDDEN.sharepoint.com%2CHIDDEN%2CHIDDEN')/permissions","value":[]}
RawContent : HTTP/1.1 200 OK
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=31536000
request-id: HIDDEN
client-request-id: HIDDEN
x-m...
Forms : {}
Headers : {[Transfer-Encoding, chunked], [Strict-Transport-Security, max-age=31536000], [request-id,
HIDDEN], [client-request-id, HIDDEN]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 203

Executing the following:

$webRequest = Invoke-WebRequest –Uri "https://graph.microsoft.com/v1.0/sites/HIDDEN" –Method Get -Headers $headers  

Actually returns what I would expect for this request.

Answer 5

Graph API currently doesn't have site permission end points. Alternatively we can try to use REST end points.

_api/web/SiteGroups/GetByName('Group Name')/Users
_api/web/SiteGroups/GetById(3)/Users?$filter=Email eq 'UserEmail@tiedtlaw email .com'

https://sharepointcass.com/2021/04/15/sharepoint-online-rest-apis-part-v-sharepoint-groups/