How do I get group memberships for Sharepoint Sitegroups

Question

Hi Microsoft Team,

I need to find the list of Entra users and groups who have permissions to read files in a Sharepoint site.

I am using client credentions flow with an Entra App Registration , which has both Sites.Selected and Sites.Read.All API Application permissions for both Graph and Sharepoint.

Using graph API /drives/DRIVE_ID/items/ITEM_ID/permissions, I can see the sharepoint file grants: some assignees are sharepointGroups (or siteGroups) and some Azure Entra Groups.

How can I get the membership of the Sharepoint SIte groups? My goal is to find the emails of the members and then use the emails to resolve the oids in Azure Entra.

Referring to the information provided in this thread, I am querying the following Sharepoint REST API , using an Azure App Registration (client credentials flow with a secret)

SITE_URL/_api/web/sitegroups/getbyname(GROUP_NAME)/users

However I am getting the 401 Error: Unsupported app only token

Can you please help? What exactly needs to be configured for the App Registration and what needs to be configured on the Sharepoint Site?

Answer 1

Hi @Ahmed Shamim,

I hope you're having a great day.

The 401 “Unsupported app only token” you’re hitting when calling  SITE_URL/_api/web/sitegroups/getbyname(GROUP_NAME)/users is actually expected with your current setup. The key detail here is that SharePoint Online REST APIs do not accept app‑only tokens that are issued using a client ID and client secret. Even though this flow works well with Microsoft Graph, SharePoint REST is stricter and only supports app‑only access when the token is issued using certificate‑based authentication.

To move forward, you’ll need to update your existing Entra ID app registration to use a certificate instead of a secret. This can be a self‑signed certificate if you like. You upload the public key of that certificate to the app registration, then use the private key to request an access token via the client‑credentials flow using a JWT client assertion instead of a client secret.  When requesting the token, make sure you are targeting SharePoint directly by using the scope https://{tenant}.sharepoint.com/.default, rather than the Microsoft Graph scope.

It’s also important to double‑check that the permissions are granted on the SharePoint API itself, not just on Graph. The app should have application permissions such as Sites.Read.All, or Sites.FullControl.All if your scenario requires broader access, and admin consent must be granted. Once this is in place and you’re authenticating with a certificate‑based app‑only token, SharePoint will accept the call and you’ll be able to enumerate the users inside the site groups as expected.

After that, your overall approach makes sense. You can resolve SharePoint site group membership through the REST API, extract user emails, and then map those back to Entra ID users and object IDs, combining that data with what you already see from the Graph permissions endpoint.

If you want to dig deeper, the following references walk through this model in detail and are worth a look:

• Avoiding Access Errors with SharePoint App-Only Access | Microsoft Community Hub
• Create a self-signed public certificate to authenticate your application - Microsoft identity platf…
• Granting access via Entra ID App-Only | Microsoft Learn

I hope this answer provides some helpful context for your reference. If you have any updates or further questions, please feel free to leave a comment under this post. I'll be more than happy to follow up and assist further within my scope.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

Answer 2

The 401 "Unsupported app only token" occurs because classic SharePoint REST (_api/web/...) does not accept the Microsoft Graph-style app-only token being used with Sites.Selected. The current context only documents:

• How SharePoint authorization works in general (role assignments, groups, inheritance).
• How to restrict access to SharePoint sites via Microsoft 365/Entra groups.
• How to grant app-only access to specific sites using Resource Specific Consent (Sites.Selected) via Microsoft Graph or PnP PowerShell.

From this context, the following points are supported:

1. SharePoint authorization is role-based. Users and groups (including SharePoint groups) are assigned to roles on sites, lists, items, etc. A user only has access if they are in a group that has a role assignment on the object.
2. Microsoft 365 groups and Microsoft Entra security groups can be used to control access to SharePoint sites, including via Restricted Access Control. However, adding a user to such a group does not itself grant access; the group must also have permissions on the site or content.
3. For app-only access to specific sites with Sites.Selected, explicit site permissions must be granted to the app using either:
   • Microsoft Graph: POST https://graph.microsoft.com/v1.0/sites/{siteId}/permissions with a body that assigns read|write|manage|fullcontrol to the application, or
   • PnP PowerShell: Grant-PnPAzureADAppSitePermission -AppId {client-id} -Permissions <Read|Write|Manage|FullControl> -Site {site-object}.

What can be concluded from this context for the scenario:

• The app must have explicit site-level permission (via Sites.Selected) granted using Graph or PnP PowerShell before it can access that site.
• The context does not provide a supported method or API shape for enumerating SharePoint site group membership via app-only tokens, nor does it describe how to make _api/web/sitegroups/... work with the token type in use.
• The context does not document any mapping or resolution process from SharePoint group members to Entra object IDs or emails via Graph.

Because the necessary details for:

• enabling _api/web/sitegroups/getbyname(...)/users with app-only tokens, or
• an alternative supported API to list SharePoint site group members with app-only access,

are not present in the provided material, no further configuration or step-by-step resolution can be given based on this context alone.

---

References:

• Authorization, users, groups, and the object model in SharePoint
• Restrict SharePoint site access with Microsoft 365 groups and Microsoft Entra security groups
• Understanding Resource Specific Consent for Microsoft Graph and SharePoint Online