The "Sites.Selected" permission is not working anymore

Question

Hi,
I have an app using the graph API to query several lists of a particular SharePoint site.
I have added the Sites.Selected permission for this app a few months ago and it worked just fine until today.
Today, when my app calls the graph API to retrieve data from this site, it receives a 403 permission denied.

I tried to push again the permission with the "POST" /permission Graph API (as I used to do in the past), and now I have a "not supported" error, as if this API is not working anymore.

We tried to find if there were breaking changes on the Graph API operations we rely on, but we found nothing.

Answer 1

Hi @David GROSPELIER ,
This has been acknowledged by MS as an unexpected service issue and can be tracked as SP381039

Title: Users may see 'Access Denied' errors when using Graph APIs for SharePoint Online

User Impact: Users may see 'Access Denied' errors when using Graph APIs for SharePoint Online.

Current status: We've identified that components of the authentication feature are unexpectedly not present in some users' environments thus resulting in the Graph API access requests to fail. We're redeploying the affected feature within impacted environments to remediate impact. In parallel, we're investigating recent feature changes to identity why the components are unexpectedly not present.

Next update by: Tuesday, May 17, 2022, at 5:00 PM UTC

---

Latest update from MS, received 17 May 16:45:

Current status: We've confirmed that a recent feature deployment misconfiguration has prevented components associated with the authentication feature from being available in a group of customer environments, which is producing 'Access Denied' errors when using Graph APIs for SharePoint Online. We've confirmed that our redeployment of the authentication feature to some impacted environments has resolved the impact. We're now redeploying the feature to all affected remaining environments, which is expected to remediate impact.

Scope of impact: This issue may potentially affect any of your users attempting to utilize Graph APIs for SharePoint Online.

Root cause: A recent feature deployment misconfiguration has prevented an authentication feature from being available in a group of customer environments, resulting in impact.

Next update by: Tuesday, May 17, 2022, at 9:30 PM UTC

Answer 2

Also facing the issue. Luckily we own all the SPs with this permission and can replace Sites.Selected with Sites.ReadWrite.All as a workaround

Answer 3

Hi @David GROSPELIER ,
Per my test, I can reproduce your issue. I will recommend you to raise a new ticket in admin center support

===================================

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 4

Hi @David GROSPELIER ,

Hope you are doing well.

I could see the same issue at my end.
Microsoft Product engineering team has acknowledged this issue and they are working on rollout fix globally.
Will keep you posted with updates on this.

Hope this helps.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have further questions about this answer, please click "Comment".

Answer 5

Hi @David GROSPELIER ,

I am still facing the issue.

I have registered an app with "Sites.Selected" permission . And granted the Role using PnP PowerShell cmdlet

Grant-PnPAzureADAppSitePermission -AppId 'AzureAppIdwithSitesdotselectedpermission' -DisplayName 'App Name here' -Site 'https://tenantname.sharepoint.com/sites/sitename' -Permissions Read  

With this I am able to get the bearer token but When I try to call search API query https://tenantname.sharepoint.com/_api/search/query?querytext=%27test%27

Getting error

No User or App Context found  

If anyone has the answer pls reply.