![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 60%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Graph
An API that connects multiple Microsoft services, enabling data access and automation across platforms
Yes, this behavior is expected when content approval and draft security are enabled, and it is controlled by SharePoint’s content approval and draft visibility settings rather than by the authentication method (user vs. app-only).
Key points from SharePoint content approval behavior:
- When Require content approval for submitted items is set to Yes, new or changed items are in Pending status until approved.
- While in Pending status, items are typically visible only to:
- The item’s author, and
- Users who can manage lists/libraries (for example, approvers or site owners), depending on the Draft Item Security setting.
- Draft/pending items can be hidden from general readers and from search/crawling accounts unless Draft Item Security is set to allow any user who can read items to see drafts.
From the documentation:
- Items in Pending status are visible only to the originator and people who can manage lists/libraries, unless security is configured to allow any user to read items, in which case all users with Read permissions can see them, regardless of approval status.
- Draft items are not crawled or visible to search unless Draft Item Security is set to Any user who can read items.
Given this:
- Is this expected behavior for Microsoft Graph when querying SharePoint lists with content approval enabled?
Yes. When content approval is enabled and draft item security is restrictive, items in Pending (or draft) status are not exposed to callers that do not have visibility to drafts. This is consistent with how SharePoint controls visibility of pending items.
- Is there any supported way to retrieve draft/pending items via Graph API?
Yes, but it depends on the library’s draft security configuration:
- In the library’s Versioning settings:
- Ensure Require content approval for submitted items? is set as needed.
- In Draft Item Security, choose Any user who can read items if draft/pending items must be visible to the calling principal.
When Any user who can read items is selected, draft items (including pending items) become visible to all readers, and this also allows the crawling account to see them. The same visibility rules apply to API callers.
- Does Graph operate under a “published items only” visibility model for SharePoint libraries?
Graph respects SharePoint’s content approval and draft security model:
- If draft security is restrictive (for example, only approvers and authors can see drafts), Graph will effectively behave as if only approved/published items exist for principals that do not meet those conditions.
- If draft security is relaxed to Any user who can read items, Graph can return draft/pending items as long as the app principal has sufficient permissions.
- Would switching to SharePoint REST API or Power Automate connector be required to access pending items?
Not necessarily. The underlying visibility rules are the same for:
- Microsoft Graph
- SharePoint REST API
- Power Automate connectors
If draft/pending items are hidden by content approval and draft security settings, switching APIs alone will not expose them. Instead, adjust the library’s Draft Item Security to Any user who can read items so that the app principal (with appropriate permissions) can see and retrieve pending items via Graph or other APIs.
References: