-
Notifications
You must be signed in to change notification settings - Fork 0
3. SharePoint Access Roles
Zoran Ruzic edited this page Jan 21, 2026
·
2 revisions
When using the Sites.Selected permission in Microsoft Graph API for SharePoint Online, access is granted on a per-site basis, and each site grants the application one of the following access roles:
| Role | Description | Permissions |
|---|---|---|
| Read | Read-only access to all content within the site | Can view lists, libraries, files, and site content, but cannot modify anything |
| Write | Create, update, and delete content within the site | Can add, edit, and delete items in lists and libraries |
| Manage | Manage lists, libraries, and permissions within the site | Can create and delete lists, manage permissions, and perform advanced site actions |
- If your app has Read permission on a site, Graph API calls that modify content (e.g., creating or updating files) will fail with a 403 Forbidden error.
- Write permissions allow content modifications but not permission changes.
- Manage and Owner roles allow for advanced management actions, including permission changes.
You can assign these roles to your application on a site by:
- Calling the Microsoft Graph API (requires elevated permissions)
- Using PowerShell cmdlets for SharePoint Online (e.g.,
Set-PnPAzureADAppSitePermission)
- Roles apply per site; your app may have different roles on different sites.
- Permissions granted through these roles are independent of app consent scopes — the app must be explicitly assigned.
- Changes to roles may take a short time to propagate.