What permission do I need on Azure AD application to read a folder in ShraePoint?

Question

I have an app registered in Azure AD with the following approved permissions:

Microsoft Graph: Files.ReadWrite.All, Sites.ReadWrite.All, Sites.Selected, User.Read and SharePoint: Sites.ReadWrite.All, Sites.Selected

Yet a request to load a folder at / fails with 403 Forbidden (the same C# application that uses a different, registered earlier, Azure AD application works fine - I just can't figure out what the differences are, and how to get second app's permissions to work like the first app does).

Which permissions do I need to read a folder?

Are there logs that can give me more information?

Which API endpoint are you calling? – Carl Zhao Feb 09 '23 at 03:12 — Carl Zhao, Feb 09 '23 at 03:12

score 0 · Answer 1 · answered Feb 09 '23 at 07:47

This depends on which authentication flow you use, because you are only granting application permissions, which are only supported in the client credentials flow. So if you're using the client credentials flow, your permissions are sufficient. However, if you are using auth code flow or ROPC flow, you also need to grant Files.ReadWrite.All and Sites.ReadWrite.All delegated permissions.

score 0 · Answer 2 · answered Feb 09 '23 at 13:31

It turned out, I needed Sites.Selected permission (which I did). However, I had to use the PowerShell PnP module to explicitly grant write permission to my app for each site I need to access. From what I figured out as of today there is no GUI way to do that configuration (I suspect sites could have been configured when the application's permission request was initially granted, but I am not the one who approved those requests).

What permission do I need on Azure AD application to read a folder in ShraePoint?

2 Answers2