Share via

Azure App User with sites.selected permission is not able to access the SharePoint sites

Vijay Sutaria 0 Reputation points
2025-12-10T16:50:00.79+00:00

Hello there,

I want to access Sharepoint sites using my Azure Function App (C#). For this I have followed below steps :

  1. Created App User with Permission : sites.selected. (Admin consent was granted by administrator)
  2. My admin has then allowed one Sharepoint site with Read access
  3. I developed an azure function and implemented the logic to connect to SharePoint and get the files from assigned site.
  4. It was keep giving me an error and so I was not successful.

To test the same mechanism I tried to use Postman as below:

  1. https://login.microsoftonline.com/<TenantId>/oauth2/v2.0/token with client_id, client_secret, grant_type = client_credentials and scope = https://graph.microsoft.com/.default
  2. I was able to generate the token successfully.
  3. Then next I sent GET request to https://graph.microsoft.com/v1.0/sites/<MySharePointTenantName>.sharepoint.com:/sites/<SiteName>
  4. But I am still unsuccessful and getting below errors with status code (401): { "error": { "code": "generalException", "message": "General exception while processing", "innerError": { "date": "2025-12-10T15:01:17", "request-id": "54f2b8d9-3a52-49f4-90f1-70ad12cc33f8", "client-request-id": "54f2b8d9-3a52-49f4-90f1-70ad12cc33f8" } } }

Please help me to identify the issue so I can proceed, Or Please correct me if I have followed any wrong steps or if I have missed anything.

Thanks in advance,

Vijay

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pravallika KV 3,565 Reputation points Microsoft External Staff Moderator
    2025-12-10T22:49:36.4766667+00:00

    Hi @Vijay Sutaria ,

    Thanks for reaching out to Microsoft Q&A.

    You have to enable identity and assign sites.selected API permission to the function app's managed identity.

    Enable identity in Function app -> Add sites.selected API permission to the function app's identity -> Grant permission to site using https://dori-uw-1.kuma-moon.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http… -> generate token for managed identity -> using token call SharePoint.

    Use the below script to fetch the objectID:

    Connect-MgGraph -Scopes "Application.Read.All"   

$clientId = "ManagedIdentityClientID" #Function App's managed identity Client ID 

$mi = Get-MgServicePrincipal -Filter "appId eq '$clientId'" 
   
$miObjectId = $mi.Id    

$miObjectId

    image

    • To assign sites.selected permission to the managed identity
    # Connect with required permissions  
Connect-MgGraph -Scopes "Application.Read.All","RoleManagement.ReadWrite.Directory","AppRoleAssignment.ReadWrite.All"
 
# Managed Identity Object ID  
$miObjectId = "ManagedIdentityObjectID"
 
# Microsoft Graph Service Principal   
$graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'" 
# Don't change the value of appId
 
# App Role ID you want to assign  
$appRoleId = "883ea226-0bf2-4a8f-9f9d-92c9162a727d" # Don't change this value
 
# Assign app role  
New-MgServicePrincipalAppRoleAssignment `
-ServicePrincipalId $miObjectId `     
 -PrincipalId $miObjectId `     
 -ResourceId $graphSp.Id `     
 -AppRoleId $appRoleId

    image Hope it helps!

    Please do not forget to click "Accept the answer” and Yes, this can be beneficial to other community members.

    User's image

    If you have any other questions, let me know in the "comments" and I would be happy to help you.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.