We have a client registration for our application with permissions to access a specific SharePoint site that were granted using the sites.selected approach described in the following article. Our application was assigned "Write" role for the site.
We can retrieve a token for our app registration. However, it does not contain a roles or scp claim, and we get an error informing us of this when we attempt a call to see the lists or drives on the site.
Are we doing something wrong? Does the sites.selected permission not extend to Lists or Drives?
(We are only planning to use the drives call as a once-off operation, so if this is not supported we can probably work around that. Our requirement is to read and write files on the specified sites.)
Here is the request and response where we retrieve the token:
Here is the request to list the drives:
Update: I think the problem is that the permissions were granted for the SharePoint API and not the Graph API.
When I tried to list drives in site using token having no Graph API permissions, I too got same error like this:
Response:
To resolve the error, make sure to grant Microsoft Graph API permissions of Application type in your app registration:
Now, I generated the access token again using client credentials flow via Postman:
Response:
To confirm that, you can decode the access token in jwt.ms website and check whether
rolesclaim has valid permissions or not:When I used this token to list drives in SharePoint site, I got the response successfully like this:
Response: