13,726 questions
According to the official doc, you should use Sites.Read.All permissions instead of Sites.Selected permissions.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Sites.Selected and Everyone except external users
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
christou
1
Reputation point
Hi everyone,
I wanted to use the MS Graph to scan (through search essentially) content that might have been shared with everyone through the "Everyone except external users" group.
I was hoping to achieve this :
* Create an app registration with the Microsoft Graph Sites.Selected permission
* Not adding any additional permission on sites hoping that by default it would access content shared to everyone
* Invoke a search query with graph to retrieve items that were indeed shared to everyone
Unfortunately it seems that you need to explicitely add the permissions to the identity at some point to make it work.
Is this by design or will the Graph evolve to work in such cases ?
Do you think of a workaround on this ?
Thanks a lot
Chris
Microsoft Security | Microsoft Graph
{count} votes
-
CarlZhao-MSFT 46,376 Reputation points2021-09-16T08:44:45.373+00:00 Which api endpoint are you calling?
-
christou 1 Reputation point
2021-09-16T13:13:51.037+00:00 To be precise, I mainly need it through the Microsoft Graph Powershell module.
The exact command I tried with is Get-MgSiteList which is supposedly using GET https://graph.microsoft.com/v1.0/sites/{site-id}/lists
Sign in to comment
1 answer
Sort by: Most helpful
-
CarlZhao-MSFT 46,376 Reputation points
2021-09-17T02:29:36.607+00:00
-
christou 1 Reputation point
2021-09-17T07:51:47.537+00:00 Hi Carl,
Thanks for the answer but this doesn't suit my need, sorry for not clarifying this from the start : I wanted to create a more simple scenario.What I am really trying to achieve is to discover any document that might have been opened to "Everyone except external users" meaning, where people have access even if they have not explicitely been given access to.
So to discover any misconfig with everyone.That for, my first idea was to use Invoke-MgQuerySearch to search for any driveItem without giving my identity any additional permission.
To test it , I know I have a site where permissions are set with Everyone except external users + documents that are thus discoverable.
The command responds with an "Access denied".But as search might sometimes be more complex, I tried with just accessing lists on the site for the example at first.
Thanks in advance for your help
Christian
-
CarlZhao-MSFT 46,376 Reputation points
2021-09-17T10:00:24.85+00:00 In this scenario, I think what you need is the
Sites.Read.Alldelegated permission, which you need to grant to your application. Then you need to log in with any user except external users and obtain an access token, and then use the token to call the api. -
christou 1 Reputation point
2021-09-17T15:27:34.24+00:00 Thank you.
So I guess that it's not possible to have this running in a task scenario ?
Our organization require MFA for all user account, that's why I needed the App Only mode as I need to schedule a script running those stuff. -
CarlZhao-MSFT 46,376 Reputation points
2021-09-20T10:00:19.39+00:00 App Only mode may not work, because you have to log in as a user, which requires you to operate in a delegated scenario.
-
CarlZhao-MSFT 46,376 Reputation points
2021-10-06T07:56:00.433+00:00 Would you please provide us with an update on the status of your issue?
-
christou 1 Reputation point
2021-10-07T07:34:39.257+00:00 Thank you for your reply but I'm still stuck on this as I see no solution.
My org has enforced MFA on every account, so if I'm not mistaken, a server-side script/job would not be able to connect in a delegated mode without granting MFA consent interactively.
If that's the case, I don't see a viable solution for my need now.
Sign in to comment -