How to programmatically get the permissions of all Sharepoint sites?

Lars Petersson 6 Reputation points

As part of a larger task, I have been asked to get a list of all guest users with access to Teams and/or SharePoint sites.

I was under the impression that I could get this by using REST API & MS Graph and getting a list of all SharePoint Sites using and then use the IDs with<ID>/permissions in order to get the permissions. But that returns an empty value.
Prior to getting the permission ' Sites.FullControll.All', this command was erroring, while now it is not, so presumably it is working as intended.

So, how would I go about getting the permissions for all Teams & SharePoint sites in our org? It seems like something Graph should be able to do, but after spending days on it, I have not been able to find a way to do it.
I've been using Graph more and more for tasks, but this seems a bit of a blocker for me.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
9,940 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
2,547 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Sahil Deshmukh 6 Reputation points

    Hi, I am having the same issue as above. We are using the exact c# code as above but we are getting an empty list of values: []. We have verified that sharepoints sites in our domain have groups and permissions set up. Any update on this?

    1 person found this answer helpful.
    0 comments No comments

  2. CarlZhao-MSFT 34,701 Reputation points

    Hi @Lars Petersson

    You need to call two apis in one namespace. First get the collection of sites, then traverse to get the id of each site, and then use the siteId as a parameter to get the permissions of each site.

    using Microsoft.Graph;  
    using Microsoft.Graph.Auth;  
    using Microsoft.Identity.Client;  
    using Newtonsoft.Json;  
    using System;  
    using System.Collections.Generic;  
    namespace test  
        class Program  
            static async System.Threading.Tasks.Task Main(string[] args)  
                IConfidentialClientApplication app;  
                app = ConfidentialClientApplicationBuilder.Create("{client id}")  
                        .WithClientSecret("{client secret}")  
                        .WithAuthority(new Uri("{tenant id}"))  
                AuthenticationResult result = null;  
                string[] scopes = new string[] { "" };  
                result = await app.AcquireTokenForClient(scopes).ExecuteAsync();  
                string accesstoken = result.AccessToken;  
                ClientCredentialProvider authProvider = new ClientCredentialProvider(app);  
                GraphServiceClient graphClient = new GraphServiceClient(authProvider);  
                var queryOptions = new List<QueryOption>()  
        new QueryOption("search", "*")  
                var sites = await graphClient.Sites  
                for (var i = 0; i < sites.Count; i++)  
                        var siteId = sites[i].Id.ToString();  
                        var permissions = await graphClient.Sites[siteId].Permissions.Request().GetAsync();  
                        Console.WriteLine("permissions:" + JsonConvert.SerializeObject(permissions));  


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.