SharePoint admin APIs are accessible via SharePoint client object model (CSOM), SharePoint REST service, and Microsoft Graph.
Overview
Here are some key principles about SharePoint admin APIs authentication and authorization:
- Each admin API defines the least-permissive permission a caller should have to call the API.
- We use role-based access control to assert a caller can call a particular admin API. If the caller has not been granted the required permission, they'll get an unauthorized access error.
Pre-Requisites
- Caller is a registered Microsoft Entra application with the right application permissions.
Authorization
SharePoint admin APIs can be called by applications registered in Microsoft Entra configured with access on behalf of a user or access without a user.
Application access on behalf of a user
Admin API operations on behalf of a user require applications to receive consent for SharePoint AllSites.FullControl application permission. This permission requires admin consent on the consuming tenant before any user from the tenant can consent to it.
Application access without a user
Admin API operations without a user require applications to receive consent for Sites.FullControl.All application permission on the SharePoint resource. This permission requires admin consent on the consuming tenant.
Important
Using application access on behalf of a user is the recommended approach. This type of access enhances the security of your tenant and improves auditability of actions performed by the application. For all applications, an administrator on the consuming tenant must consent to your application's request for permission. Learn more here.
Note
We are currently working on providing more granular, less-permissive scopes for applications to use based on what admin APIs the applications want to have access to. We'll share more information in due course when this is ready for adoption.
What's next
Here are some actions you can take next to use applications for admin API calls:
Configure your application manifest to request the required permissions for Office 365 SharePoint Online (resourceAppId:
00000003-0000-0ff1-ce00-000000000000).Grant admin consent to your application on the target tenant.
Access type Permission name resourceAccessidresourceAccesstypeOn behalf of a user AllSites.FullControl56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0Scope Without a user Sites.FullControl.Alla82116e5-55eb-4c41-a434-62fe8a61c773Role Use your application to invoke admin APIs.