How to obtain ACLs for different sharepoint sites - sharepoint

Using the graph API or sharepoint REST APIs, is there a way to obtain, for each site, the list of users/o365 groups that are allowed read access to the site?
We are able to obtain the list of sites using the graph API GET /sites?search=* but cannot find a way to get the list of users allowed to access each site (except for Sharepoint team sites associates with o365 groups that we can enumerate using GET /groups/{group-id}/sites API call.
We are building a server side application so need to do this from the server using application-level permissions, and not from the client.
Pointers for how to do this are greatly appreciated!

Looks like there is no such endpoint that gets the site permissions and there are few uservoices here that are close to your scenario. Please upvote them so that it could be developed by the product team in future.

Related

Microsoft Graph API - How to Filter SharePoint sites by Site Type?

SharePoint Admins in Microsoft 365 can create Team Sites and Communication Sites using the admin center.
In addition, individual users can have Personal Sites (Otherwise known as My Sites)
Using the Microsoft Graph .NET SDK I can retrieve all sites like this:-
await client.Sites.Request().GetAsync();
However this appears to include all Team, Personal and Communication Sites. Is there a way to limit the request to only one type of site, or detect the type of each site returned from the query? I could not find anything in the documentation about this.
Edit: If there's a way to get this information via SharePoint CSOM, I would be interested in that too
Unfortunately this is not available as of now but there is a uservoice already raised. Please upvote it so that this feature may be implemented in the future.
I don't know if it can help you but I found a workaround how to differentiate between a team/communication site and a personal site.
A personal site contains in the WebUrl field the string "my.sharepoint.com/personal/", then after you make the call: var sites = await client.Sites.Request().GetAsync(); you can use this filter to retrieve only personal site: var personalSites = sites.Where(s => s.WebUrl.Contains("my.sharepoint.com/personal/")); (Microsoft does not allow to use a filter on this request directly, so this is the reason why I used the filter after fetching all sites.)

Permissions for Azure app using Microsoft Graph to read SharePoint Online

This seems like a simple question but I'm struggling to find an answer anywhere. Help! ;-)
I'm trying to use Microsoft Graph to read SharePoint lists/libraries in a SharePoint site, however this is just for one site (for our department) amongst many on our SharePoint online. I've registered an Azure AD app (with secret etc...) and requested 'application' permissions for the Microsoft Graph ('Create, edit, and delete items and lists in all site collections') and its saying 'admin consent required' is 'yes' and its currently flagged as 'not granted for *****'.
My boss is now asking - with a worried tone ;-)
will this mean the app can basically read/write/delete on all sites in
the organisations SharePoint (not just our site) if our IT department
'consent'?
I said I don't know actually... I guess I'm not entirely clear on which permissions this is for, is it just to call the Microsoft Graph API or is it for this app to access SharePoint itself? I've searched for answers to this but I'm struggling to find anywhere that says anything about giving your app permissions in SharePoint, it all seems to be about getting permissions for the Microsoft Graph to access SharePoint.
I just want the app to have permissions to read/write lists/files in this one SharePoint site, not any others (we have loads of sites for other departments). I feel like we should be adding permissions for this app (its service principal?) somewhere on the SharePoint site we want to access, but what permissions do I need to setup and where so this app can only access this one site?
Azure AD app registration now allows for granular access to SharePoint site collection, there is a new option Sites.Selected under Azure AD App Registration - Request API Permissions - refer to https://developer.microsoft.com/en-us/graph/blogs/controlling-app-access-on-specific-sharepoint-site-collections/
Unfortunately, this feature is still missing. It is not possible to limit the permissions to only one SharePoint site. It's either access to all SharePoint sites in the organisation or none. Check out the user vote for more information: here. Microsoft is still working on providing a way to limit the access to specific resources.

Secure CRUD SharePoint rest apis

Is it possible to secure SharePoint rest APIs?
I have a SharePoint portal that allows users to create accounts an get access to the portal.
The portal uses SharePoint client object model, if any of the users try to access let's say getuserbyid method or retrieving items for lists and changes the ID value, he will be able to retrieve information for other users on the portal.
So it is possible or is their any way to restrict access to the rest APIs outside the portal itself? Because with manipulation using Fiddler or burp suite the request can be replayed with different information or values.
The operations performed by the Client Side Object Model respect the SharePoint site permissions in the SharePoint site you are interacting with. You need to set/customize the site permissions such that you get the results that you want.

OneDrive REST API and Sharepoint Online

I have the app that uses OneDrive API (MS graph) to access OneDrive free accounts and OneDrive for business.
The app works fine.
In docs of the API i can see same API can be used also to access Sharepoint Online sites data.
How to do this? When i auth a user who has Sharepoint Online account with MS graph, there is only his drive (ondrive) but there is no his site listed.
How to get access to his sharepoint site too using same API?
I have found how to work with sites using the Graph API.
To get list of sites there is the call
GET /v1.0/sites/
Then use the SITEID to get list of drives (in fact, top level folders)
GET /v1.0/sites/SITEID/drives
Then to get contents of a drive user
GET /v1.0/sites/SITEID/drives/DRIVEID/root/children
And all next calls are same as for onedrive drive
However, there is the problem i still can not solve. How to create new top level folder (new drive on a site). There is no API call for this
I believe what you are looking for is the sites API. It lets you interact with a SharePoint site if you know the path or the id of the site. You can find the documentation for the api here:
https://dev.onedrive.com/resources/site.htm
There is no easy way to discover sites as of now. You can however search for a site. You can read more about it here:
https://dev.onedrive.com/sites/search.htm
This endpoint to get the list of sites is not working, so the last answer is not valid anymore.
https://graph.microsoft.com/v1.0/sites
I haven't found a way to do this, the discovery of sites, without admin consent. If the admin consent flow is not a problem you can try this workaround, use the endpoint of groups to ask for the groups that the user is member of, and you can use the groups to get the document libraries of the user.
To get the groups:
GET https://graph.microsoft.com/v1.0/me/memberOf
With the group id, you can use this endpoint:
GET https://graph.microsoft.com/v1.0/groups/{group-id}/drive
So if someone know how to do the discovery of sites for a user without admin consent, please share.
EDIT: I'm not sure why my answer was deleted, my answer basically has 2 things:
I gave notice that one answer here is not valid anymore.
I gave a possible other solution to the problem.

How to access Sharepoint site's document library via Microsoft Graph API?

I'm working on accessing document libraries for Sharepoint sites via Mircosoft Graph, but haven't had any luck so far.
Here is my setup:
I have two sites
https://mydomain.sharepoint.com
https://mydomain.sharepoint.com/teams/MyTestSite
When I make an api call to https://graph.microsoft.com/v1.0/drives, the response doesn't contain id of document library for second site (https://mydomain.sharepoint.com/teams/MyTestSite).
I have gone through documentation and haven't found anything on how to accomplish this. If anyone got any idea about this, please share.
Thanks.
I was able to figure out a solution for this. A sharepoint site is represented as a Group in Office 365. I found that out by doing some hit and trial.
So, after looking up their documentation for anything related to a Group, I got to this: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/group
And, by using the List groups endpoint I was finally able to get a list of all the Sharepoint sites which the authenticated user can access.
This API call requires Group.Read.All scope while requesting access token and only Admin users can authorize this scope. So, this will need a separate interface for Admin to list groups, potentially store the group-user mapping on my app for the user to be able to make api call (/groups/{group-id}/drive/items/{item-id}) related to the drive.
The V1.0 API has a way to list your doc lib as follows
GET https://graph.microsoft.com/v1.0/sites/mydomain.sharepoint.com:/Teams/MyTestSite:/drives
Hope this helps.
The beta API also exposes a Sharepoint endpoint.
You can also use the path if you already know your site structure:
GET https://graph.microsoft.com/beta/sharepoint:/sites

Resources