Skip to content

3. SharePoint Access Roles

Zoran Ruzic edited this page Jan 21, 2026 · 2 revisions

SharePoint Access Roles with Sites.Selected

When using the Sites.Selected permission in Microsoft Graph API for SharePoint Online, access is granted on a per-site basis, and each site grants the application one of the following access roles:


Available SharePoint Access Roles

Role Description Permissions
Read Read-only access to all content within the site Can view lists, libraries, files, and site content, but cannot modify anything
Write Create, update, and delete content within the site Can add, edit, and delete items in lists and libraries
Manage Manage lists, libraries, and permissions within the site Can create and delete lists, manage permissions, and perform advanced site actions

How These Roles Affect Graph API Requests

  • If your app has Read permission on a site, Graph API calls that modify content (e.g., creating or updating files) will fail with a 403 Forbidden error.
  • Write permissions allow content modifications but not permission changes.
  • Manage and Owner roles allow for advanced management actions, including permission changes.

How to Assign Roles to Your Application

You can assign these roles to your application on a site by:

  • Calling the Microsoft Graph API (requires elevated permissions)
  • Using PowerShell cmdlets for SharePoint Online (e.g., Set-PnPAzureADAppSitePermission)

Important Notes

  • Roles apply per site; your app may have different roles on different sites.
  • Permissions granted through these roles are independent of app consent scopes — the app must be explicitly assigned.
  • Changes to roles may take a short time to propagate.