Get-MgSite and Get-MgSubSite need to return the Permissions property

[kathyblasco]

Permissions is a propery in both Get-MgSite and Get-MgSubSite but no data is returned for Permssions. Tried both commands using '-ExpandProperty' and '-Property' and there is still no data in the Permissions Property. I also need Permissions returned for Libraries, Files, and Folders.

See: https://docs.microsoft.com/en-us/answers/questions/336355/has-anyone-been-able-to-retrieve-site-permissions.html

Maybe what is needed is to develop the Graph Permissions module as described by: https://docs.microsoft.com/en-us/graph/api/site-list-permissions?view=graph-rest-1.0&tabs=http

Are there any plans to provide SharePoint permissions at any level in upcoming versions?
AB#8791

[peombwa]

Thanks for opening this bug.

I can indeed confirm that the SDK is missing Get-MgSitePermission command that should call /sites/{sitesId}/permissions. We need to update our modules mapping to cover this. This should be available in upcoming versions.

[peombwa]

For driveItems, we will need to wait for drives/driveItem/{driveItem-id}/permissions to be added the OpenAPI document that this SDK is generated from. This can be tracked here microsoftgraph/microsoft-graph-devx-api#509.

[kathyblasco]

Thanks Peter! I found some commands to gather permissions but I am betting that they will be better and faster using Graph. The statements I found for Library permissions on Stack Exchange don't report just the library permissions either, they are reporting the Sites permissions. I might have to manually check the permissions for each of my libraries that report broken inheritance. At least I have that! Kathy Blasco

…

On Wed, Mar 31, 2021 at 6:09 PM Peter Ombwa ***@***.***> wrote: For driveItems, we will need to wait for drives/driveItem/{driveItem-id}/permissions to be added the OpenAPI document that this SDK is generated from. This can be tracked here microsoftgraph/microsoft-graph-devx-api#509 <microsoftgraph/microsoft-graph-devx-api#509>. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#600 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHTMJGUXUJ2ODAZP43W6UPLTGOTTDANCNFSM42CIGA2A> .

[peombwa]

@kathyblasco, as a workaround, you could use Invoke-MgGraphRequest to list site and driveItem permissions like this:

# Authenticate as usual.
Connect-MgGraph

# Get site permissions
Invoke-MgGraphRequest -Uri "v1.0/sites/$SiteId/permissions"

# Get driveItem permissions
Invoke-MgGraphRequest -Uri "v1.0/drives/$DriveId/items/$DriveItemId/permissions"

Invoke-MgGraphRequest is a command that we recently added to the SDK for making arbitrary requests to Graph.

[kathyblasco]

I would (and I already tried that) except that the graph Permissions call isn't working either! That was also reported in a Q and A but I have not gotten a response on that either! I think I posted wrong though as it was my issue already posted by someone else. https://docs.microsoft.com/en-us/answers/questions/307911/graph-api-sharepoint-site-permissions-operation-no.html Kathy Blasco

…

On Thu, Apr 1, 2021 at 10:50 AM Peter Ombwa ***@***.***> wrote: @kathyblasco <https://github.com/kathyblasco>, as a workaround, you could use Invoke-MgGraphRequest to list site and driveItem permissions like this: # Authenticate as usual.Connect-MgGraph # Get site permissionsInvoke-MgGraphRequest -Uri "v1.0/sites/$SiteId/permissions" # Get driveItem permissionsInvoke-MgGraphRequest -Uri "v1.0/drives/$DriveId/items/$DriveItemId/permissions" Invoke-MgGraphRequest is a command that we recently added to the SDK for making arbitrary requests to Graph. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#600 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHTMJGQXFLLETVHPE5FA2ADTGSI3HANCNFSM42CIGA2A> .

[lbenkensteinGP]

I updated Microsoft.Graph to 1.10.0 but permissions output are still empty after running Get-MgSite -Property Permissions -SiteId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx or Get-MgSitePermission -SiteId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

PS C:\Windows\system32> Get-Module

ModuleType Version Name
Script 1.10.0 Microsoft.Graph.Authentication
Script 1.10.0 Microsoft.Graph.Sites

[peombwa]

The command works as expected in v1.10.0:

Please note that the API only supports application permissions. See https://docs.microsoft.com/en-us/graph/api/site-list-permissions?view=graph-rest-1.0&tabs=http#permissions.

See https://docs.microsoft.com/en-us/powershell/microsoftgraph/app-only?toc=%2Fgraph%2Ftoc.json&view=graph-powershell-1.0&viewFallbackFrom=graph-rest-1.0&tabs=azure-portal for how to use app-only authentication with the PowerShell SDK.

[teephysicist]

Hello, I am running into the same issue even after updating to v1.10.0.
I have connect using app only authentication with the Sites.Fullcontrol.All permission:

The Microsoft.Graph.Sites module has version 1.10.0:

Running get-mgsite -siteid root, the permissions are still empty:

Running get-mgsitepermission -siteid root permissions are also empty:

[lbenkensteinGP]

Am I doing something wrong?

I tested again, here are all the steps I did:

1. Created a new SharePoint site, site id: "2fb9..."

2. Created a new App Registration: "app-CD..."

3. In "app-CD..." API Permissions I added Application permission for SharePoint "sites.selected".
   

4. Successfully granted write permissions for "app-CD..." service principal in the SharePoint site id "2fb9..."
   

5. Connected to Microsoft Graph with scope Sites.FullControl.All and checked module version.
   

6. Ran Get-Mgsite and Get-MgSitePermission for the SharePoint side id "2fb9..." and it does not show that the "app-CD..." has write permissions on the the site.
   
   

[Asaurdiff-Tillamook]

I am not sure why this issue was closed. This is still not resolved. Generally, we don't need permissions to the Root site. WE need permissions to the sites we have created. The Owner/Member/Visitor groups of each individual site. I understand if the sub library or broken inheritance is taken away, but this top level permissions should be seen.
I am currently on Module Version 1.9.3 and this is still not showing up. Whether i look under Get-MGSite or Get-MGSitePermissions. If this was resolved please tell me how this can be addressed. currently:
Get-mgsite -All | Where {$.WebUrl -eq } | Get-MgSitePermission -siteId $.Id

Nor taking the Site ID as a variable or direct. The permissions still don't appear.

[Skaldhor]

@peombwa Please reopen this issue.
Just like @teephysicist I'm receiving the same output.
App-only auth with Sites.Fullcontrol.All permission is used, site can be found, Get-MgSitePermission returns nothing, also no error.
Invoke-MgGraphRequest -Uri "v1.0/sites/$SiteId/permissions" also returns an empty value.

[tberta]

The simplest and clearer method I've found to show the existing permissions is by using ToJsonString() method:
$Perm = Get-MgSitePermission -SiteId $siteId
$Perm.ToJsonString()
roles (read or write) are missing here. To get them, query with the PermissionId. I only have permission for 1 application. I suppose you need to adjust the $Perm index if several are defined:
(Get-MgSitePermission -SiteId $siteId -PermissionId $perm.Id).ToJsonString()

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites($SiteId)/permissions/$entity"
,
  "id": "aTowaS.....MxNzcw",
  "grantedToIdentities": [
    {
  "grantedToIdentities": [
    {
      "application": {
        "displayName": "MyAppName",
        "id": "abcd123-dead-beaf-dead-abcd123"
      }
    }
  ],
  "grantedToIdentitiesV2": [
    {
      "application": {
        "displayName": "MyAppName",
        "id": "abcd123-dead-beaf-dead-abcd123"
      }
    }
  ],
  "roles": [ "read" ]
}