Permissions from Graph API seem to be empty

Question

Another Microsoft Graph API question this time I'm curious about the result.

Why does this return a 200 and with nothing in the value object.

What I've tried:

1. Add different permissions in the Modify permissions tab
2. Test different accounts and other SharePoint environments ( I am global admin on those accounts and its no personal account but work account)
3. I've tested before with the query params such as select, filter and expand. So ive tried things like ?expand=all, expand=items and expand=children and a few more.
4. Use name or id in the sites/{site name or site id}

Usually I've solved all of my problems with repeating step 1 or 3 but now it seem to give me nothing. Since it's part of the docs im curious what I'm missing here https://learn.microsoft.com/en-us/graph/api/site-list-permissions?view=graph-rest-1.0&tabs=http

What could be the missing piece here? :)

Edit: I've tried to solve this issue in a c# mvc 5 app by doing the following code but it still returns the exact same result:

        IConfidentialClientApplication app = MsalAppBuilder.BuildConfidentialClientApplication();
        var account = await app.GetAccountAsync(ClaimsPrincipal.Current.GetAccountId());
        string[] scopes = { "Sites.FullControl.All" };
        AuthenticationResult result = null;
        HttpClient client = new HttpClient();
        HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/sites/{site_id_or_name}/permissions");
        try
        {
            //Get acccess token before sending request
            result = await app.AcquireTokenSilent(scopes, account).ExecuteAsync().ConfigureAwait(false);
            if (result != null)
            {
                request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
                //Request to get groups
                HttpResponseMessage response = await client.SendAsync(request);
    
                if (response.IsSuccessStatusCode)
                {
                    ViewBag.Permissions = response.Content.ReadAsStringAsync().Result;
                }
            }
        }
        catch (Exception ex)
        {
            //Something went wrong
        }

Any idea what is wrong here?

The GitHub project im using: https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect just add a client id and secret from your app reg and you can copy my method above :)

Answer 1

The reason is very simple, because it does not support delegated permissions, so don't try to have a user login Graph Explorer for testing, because it uses delegated permissions by default.

You need to grant Sites.FullControl.All application permissions to the application in the Azure portal, and then use the client credential flow to obtain an access token. Then you can use postman to call that api.