Graph API Permissions vs. Sharepoint Site/List Permissions

Lars Schweikardt 1 Reputation point

Hello all,

I have a question regarding Graph API Permissions (Sites.Read.All i.e.) and the permission I setup in Sharepoint directly (Edit, Read, Full Control etc.). I have an application which accesses Sharepoint list, the list is setup to "Read items, that were created by the user" and the user has edit and read permissions in sharepoint. When reading the list via Graph API (with Sites.Read.All) he only can read his entries which is perfectly fine. Another user which hast full control permissions can see all entries but when he tries to read the list via Graph API (with Sites.Read.All) he is not able to see all entries. When accessing with i.e. Sites.Manage.All he is able to see which makes sense (somehow) but when the user which has got only Edit and Read permissions hast got the same Scope in the Graph API he also can read all entries.

How does those Graph API Permissions and Sharepoint Permissions play together, or do I have something misunderstood?

Would be nice to hear back from you

Best regards

SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
2,717 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Tong Zhang_MSFT 9,121 Reputation points

    Hi @Lars Schweikardt ,
    According to my research and testing, users who have full control can use 'Sites.Read.All' to read items in all site collections.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Lars Schweikardt 1 Reputation point

    So this does not seem to work for us, our app is consented for instance Sites.Read.All and the user has only Read rights (plus the list has the option enabled "Read items, that were created by the user") it works perfectly fine but in case Sites.Manage.All is consented he can read everything even though the documentation states for delegated permissions:

    "For delegated permissions, the effective permissions of your app are the least-privileged intersection of the delegated permissions the app has been granted (by consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user."

    0 comments No comments