What permissions are required to call /_api/hubsites and get results? - sharepoint

We are trying to use the SharePoint REST API to retrieve the list of hubs a user has access to. When I, as a SharePoint admin call the api (https://[tenant].sharepoint.com/_api/hubsites) I get the list of hubs correctly. However when anyone else calls the api they get a empty response. They have contribute rights to the SharePoint home site as well as the Hub and all connected sites.
Thanks

Based on Microsoft Documentation , this RESTful service should be "callable" by any user with read permission to the site.
Gets information about all hub sites that the current user can access.
Are you sure those users do have access to Hub sites? Can you share the empty responses you gerfrom those users calls?

Related

How to obtain ACLs for different sharepoint sites

Using the graph API or sharepoint REST APIs, is there a way to obtain, for each site, the list of users/o365 groups that are allowed read access to the site?
We are able to obtain the list of sites using the graph API GET /sites?search=* but cannot find a way to get the list of users allowed to access each site (except for Sharepoint team sites associates with o365 groups that we can enumerate using GET /groups/{group-id}/sites API call.
We are building a server side application so need to do this from the server using application-level permissions, and not from the client.
Pointers for how to do this are greatly appreciated!
Looks like there is no such endpoint that gets the site permissions and there are few uservoices here that are close to your scenario. Please upvote them so that it could be developed by the product team in future.

Getting azure ad users list for specific application with graph api

In the azure graph I have a list of users, some of which can be assigned to enterprise applications(my registered app). How can we get users of a specific application using the graph api(with Postman)?
with this api i get list of all users without depending on application application
https://graph.microsoft.com/v1.0/users
also tried find some information about applications from users license by id, but still no success
POST /users/{id | userPrincipalName}/assignLicense
and from application information
GET /applications/{id}
i have a full stack of permissions for graph api for users, directories, application both for the delegated user and for the application so this is definitely not the problem.
I hope for your help, thanks!
You can use this api below to list all users or groups assigned to an app:
https://graph.microsoft.com/beta/servicePrincipals/{id}/appRoleAssignedTo
For more information about this api, please refer to this tutorial.

Secure CRUD SharePoint rest apis

Is it possible to secure SharePoint rest APIs?
I have a SharePoint portal that allows users to create accounts an get access to the portal.
The portal uses SharePoint client object model, if any of the users try to access let's say getuserbyid method or retrieving items for lists and changes the ID value, he will be able to retrieve information for other users on the portal.
So it is possible or is their any way to restrict access to the rest APIs outside the portal itself? Because with manipulation using Fiddler or burp suite the request can be replayed with different information or values.
The operations performed by the Client Side Object Model respect the SharePoint site permissions in the SharePoint site you are interacting with. You need to set/customize the site permissions such that you get the results that you want.

Can't use application permissions (roles) to access Microsoft Graph API group calendar

My goal is to list the calendar events of an Office 365 group using the Microsoft Graph API.
The endpoint used is https://graph.microsoft.com/v1.0/groups/{id}/events based on the documentation. Using the Graph Explorer, I'm able to get the information with my delegated permissions. The problem is when I make the same call using application permissions. I'm positive JWT token contains the required roles to make the call (Group.Read.All, Group.ReadWrite.All) but I'm getting the following error:
Access is denied. Check credentials and try again
Curiously enough, I'm able to get the group /v1.0/groups/{id} but whatever is related to it's calendar and events isn't accessible.
Using application permissions to look at group resources/contents is not currently supported. Please see known issues here: https://developer.microsoft.com/en-us/graph/docs/concepts/known_issues#groups-and-microsoft-teams.
If this is required for your scenarios, please vote for
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/18747862-app-authentication-to-retrieve-conversation-messag or
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/16851937-allow-application-only-consent-to-read-conversation
Both of which are about app-only access to group conversations (similar to group events).
Otherwise please create a new user voice request.

OneDrive REST API and Sharepoint Online

I have the app that uses OneDrive API (MS graph) to access OneDrive free accounts and OneDrive for business.
The app works fine.
In docs of the API i can see same API can be used also to access Sharepoint Online sites data.
How to do this? When i auth a user who has Sharepoint Online account with MS graph, there is only his drive (ondrive) but there is no his site listed.
How to get access to his sharepoint site too using same API?
I have found how to work with sites using the Graph API.
To get list of sites there is the call
GET /v1.0/sites/
Then use the SITEID to get list of drives (in fact, top level folders)
GET /v1.0/sites/SITEID/drives
Then to get contents of a drive user
GET /v1.0/sites/SITEID/drives/DRIVEID/root/children
And all next calls are same as for onedrive drive
However, there is the problem i still can not solve. How to create new top level folder (new drive on a site). There is no API call for this
I believe what you are looking for is the sites API. It lets you interact with a SharePoint site if you know the path or the id of the site. You can find the documentation for the api here:
https://dev.onedrive.com/resources/site.htm
There is no easy way to discover sites as of now. You can however search for a site. You can read more about it here:
https://dev.onedrive.com/sites/search.htm
This endpoint to get the list of sites is not working, so the last answer is not valid anymore.
https://graph.microsoft.com/v1.0/sites
I haven't found a way to do this, the discovery of sites, without admin consent. If the admin consent flow is not a problem you can try this workaround, use the endpoint of groups to ask for the groups that the user is member of, and you can use the groups to get the document libraries of the user.
To get the groups:
GET https://graph.microsoft.com/v1.0/me/memberOf
With the group id, you can use this endpoint:
GET https://graph.microsoft.com/v1.0/groups/{group-id}/drive
So if someone know how to do the discovery of sites for a user without admin consent, please share.
EDIT: I'm not sure why my answer was deleted, my answer basically has 2 things:
I gave notice that one answer here is not valid anymore.
I gave a possible other solution to the problem.

Resources