Issues using Sites.Selected permissions for service principals

Question

Hi,

I've been facing some issues giving access to SharePoint to our developers using the MS Graph when using Sites.Selected. All other permissions that we've tested has not been a problem using service principals for authenticating.
I've used the following procedure: https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http to assign the permissions to the service principals.

The first issue is when using Managed Identities to read data from lists. Using get requests against the graph we get a 403 forbidden despite the necessary permissions being assigned.
I've tried using both the read and write permissions for Sites.Selected for: https://graph.microsoft.com/v1.0/sites/{SiteID}/lists/{ListID}/items. Both produces the following error:
{
"error": {
"code": "accessDenied",
"message": "Access denied",
"innerError": {
"date": "2021-10-13T11:18:28",
"request-id": removed,
"client-request-id": removed
}
}
}
Note that the same URI works fine when using Sites.Read.All.

The other issue is when using service principals and authenticating with a client credential flow. Lists can then be read, but we cannot create items. We get the same 403 forbidden error as above.

Answer 1

Hi @Jacob Steentoft ,
I have tested https://graph.microsoft.com/v1.0/sites/{SiteID}/lists/{ListID}/items by following steps and the url works well in my end. Please check the following steps
1 Add the permission of Sites.Selected and grant admin consent



2 Create permission

   POST https://graph.microsoft.com/v1.0/sites/{sitesId}/permissions  
    Content-Type: application/json  
      
    {  
      "roles": ["write"],  
      "grantedToIdentities": [{  
        "application": {  
          "id": "{Directory (tenant) ID}",  
          "displayName": "Contoso Time Manager App"  
        }  
      }]  
    }  

3 Get access Token
The url and body should be like following

https://login.microsoftonline.com/{{directoryId}}/oauth2/v2.0/token  
KEY	                VALUE  
grant_type	        client_credentials  
client_id	        {{azureApp_clientId}}  
client_secret	{{azureApp_clientSecret}}  
scope	                https://graph.microsoft.com/.default  

and copy following code to Tests and click send

var json = JSON.parse(responseBody);  
postman.setEnvironmentVariable("azureApp_bearerToken", json.access_token);  

We will get long string of access_token like following picture

Set the request Header like following and retrieve the datas

KEY	                VALUE  
Authorization	Bearer {AccessToken}  

---

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi @RaytheonXie_MSFT ,

As a developer, I'm trying to implement a limited access to a SharePoint site using application level authentication (without a user).

I followed the step as you describe, but I could not grant a read permission (point 2).

Before sending a POST request to add a read permission, I've tried a GET request:

GET https://graph.microsoft.com/v1.0/sites/{sitesId}/permissions

When executing this request (within Graph Explorer), the response is (Forbidden - 403):

{  
    "error": {  
        "code": "accessDenied",  
        "message": "Access denied",  
        "innerError": {  
            "date": "2022-03-07T13:02:42",  
            "request-id": "...",  
            "client-request-id": "..."  
        }  
    }  
}  

I've asked an administrator to do so.
However, the tool respond with:

You need to consent to the permissions on the Modify permissions (Preview) tab

And in this tab, the following line shows up:

Permission: N/A
Description: Consent description unavailable

This is somewhat not helpful, and clicking on "Consent" button opens a popup with following error:

Message: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope N/A openid profile offline_access is not valid. The scope format is invalid. Scope must be in a valid URI form <https://example/scope> or a valid Guid <guid/scope>.

Any help would be much appreciated.

Best regards.

Answer 3

Well it finally worked, asking the administrator to add "Sites.FullControl.All" consent in Graph Explorer, using "Select permissions" in "..." button.

If I may, this complete procedure is not explicitly described in the official documentation of the Microsoft Graph Api. It would have been much appreciated.
Furthermore, from Azure AD portal, in an application when selecting "Sites.Selected" permission, the tooltip says:

Allow the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online.

This last part might directly redirect to a detailed solution instead, or explicitly informed that Sites.FullControl.All is mandatory.

Answer 4

@LPFreelance

In the process that @RaytheonXie_MSFT mentioned. I was unable to work with Step 2. This is a permission i believe an admin needs to grant.
Once the Admin granted the permission of "Edit", I could access the site/contents.

In conclusion i do not believe Sites.FullControl.All is Mandatory.