Most Efficient Way of Granting an Application Read Permission to OneDrive Sites of a Group

Question

Hi,

Is there a one-click way to grant an application read permission to access all the OneDrive sites of the users that are members of a specific group when the application only has a Sites.Selected permission?

Right now what I do to do this is to do the following (I'm doing this on another app with broader permission like User.Read.All and Sites.FullControl.All:

• Given a group id, fetch the list of user ids of the members of the group using

    https://graph.microsoft.com/v1.0/groups/<GROUP ID>/transitiveMembers?%24select=id
  

• For every user id, fetch the webUrl of the user details to get the OneDrive site URL.

    https://graph.microsoft.com/v1.0/users/<USER ID>/drive$select=webUrl
  

• Get the host name and path from the webUrl . This will be used to fetch the site id

    webUrl = https://<HOST NAME>/personal/<PATH>/
  

• Get the site id by calling

    https://graph.microsoft.com/v1.0/sites/<HOST NAME>:/personal/<PATH>?%24select=id
  

• Set read permission to the app with Sites.Selected by

    curl 'https://graph.microsoft.com/v1.0/sites/<SITE ID>/permissions' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer <ACCESS TOKEN>' \
    --data '{
      "roles": ["read"],
      "grantedToIdentities": [
        {
          "application": {
            "id": "<client id of Sites.Selected app>",
            "displayName": "display"
          }
        }
      ]
    }'
  

As you can see, following these instructions can be really tedious. Is there a better way of doing this? Preferably a one-click solution where a user is only required to provide the group id then it will grant read permission to all the OneDrive sites on that group?

Answer 1

Currently, there is no one-click solution provided by Microsoft Graph API to grant an application read permission to all OneDrive sites of users in a specific group when the application only has Sites.Selected permission. The process you described is indeed the standard method, which involves multiple API calls to fetch user IDs, their OneDrive URLs, and then set permissions for each site individually.

The Sites.Selected permission requires explicit permission assignments for each site, and thus, automating this process would typically involve scripting or developing a custom application that performs these steps programmatically. However, as of now, Microsoft does not offer a built-in feature that simplifies this to a single action or click.

If you're looking for a more efficient way, consider creating a script or application that encapsulates the steps you outlined, allowing you to input just the group id and handle the rest programmatically. This could significantly reduce the manual effort involved in the process.

---

References:

• Understanding Resource Specific Consent for Microsoft Graph and SharePoint Online
• Overview of Selected permissions in OneDrive and SharePoint

Answer 2

Hi @Melvin 

Thank you for posting your question in the Microsoft Q&A forum. 

There isn’t currently a one‑click option or a single API call that grants an application read access to all users’ OneDrive sites when the app is restricted to Sites.Selected. The workflow you’re using remains the only officially supported method at this time. 

Based on my research, it is possible to streamline the process with a PowerShell script to automate the permission assignment. We’re in the process of testing this approach now, and we’ll share the full steps and our results once we’ve completed validation. 

Thank you for your patience and understanding. 

---

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.