This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 25%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELS%3C/text%3E%3C/svg%3E)
Hello all,
I have a question regarding Graph API Permissions (Sites.Read.All i.e.) and the permission I setup in Sharepoint directly (Edit, Read, Full Control etc.). I have an application which accesses Sharepoint list, the list is setup to "Read items, that were created by the user" and the user has edit and read permissions in sharepoint. When reading the list via Graph API (with Sites.Read.All) he only can read his entries which is perfectly fine. Another user which hast full control permissions can see all entries but when he tries to read the list via Graph API (with Sites.Read.All) he is not able to see all entries. When accessing with i.e. Sites.Manage.All he is able to see which makes sense (somehow) but when the user which has got only Edit and Read permissions hast got the same Scope in the Graph API he also can read all entries.
How does those Graph API Permissions and Sharepoint Permissions play together, or do I have something misunderstood?
Would be nice to hear back from you
Best regards
Lars
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 38%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETZ%3C/text%3E%3C/svg%3E)
Hi @Lars Schweikardt ,
I am currently doing some research on this issue, will let you know as soon as possible.
Hi @Lars Schweikardt ,
According to my research and testing, users who have full control can use 'Sites.Read.All' to read items in all site collections.
Reference:
https://learn.microsoft.com/en-us/graph/permissions-reference#sites-permissions
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Lars Schweikardt ,
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, feel free to let me know.
Looking forward to your reply.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 20%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Hi Tong,
Seems this API only lists the permission of the DriveItems. We can't able to fetch the site permissions like Owners, Secondary admin, site users like that.
So this does not seem to work for us, our app is consented for instance Sites.Read.All and the user has only Read rights (plus the list has the option enabled "Read items, that were created by the user") it works perfectly fine but in case Sites.Manage.All is consented he can read everything even though the documentation states for delegated permissions:
"For delegated permissions, the effective permissions of your app are the least-privileged intersection of the delegated permissions the app has been granted (by consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user."