Graph API to search document from a specific SharePoint site

Question

I need to use Graph API to search for a document in a specific SharePoint Online site and folder, by its unique document ID (the SharePoint site as Document ID enabled). I was able to achieve this using the Microsoft Search API in Microsoft Graph (refer to example 1 in this link: https://learn.microsoft.com/en-us/graph/search-concept-files). The implementation invokes the Graph API “POST /search/query” (endpoint - https://graph.microsoft.com/v1.0/search/query), by passing the unique Document ID (DlcDocId) and SharePoint folder path in the query string:

{ "entityTypes": [ "driveItem" ], "query": { "queryString": "DlcDocId:CNTXYZ-2102479657-2359 AND Path:https://mycompany.sharepoint.com/sites/mysite/myfolder/" }, "fields": [ "id" ] } ]

As per the Microsoft documentation for the above Graph API (https://learn.microsoft.com/en-us/graph/api/search-query?view=graph-rest-1.0), the minimum Application Permission needed to invoke the search Graph API is Files.Read.All.

However, our Security team is not willing to grant such tenant-wide read permission to the app, and they want us to use a lower permission like Sites.Selected so that the search can be limited to a specific SharePoint site. Is it possible to achieve the functionality using Sites.Selected permission and without Files.Read.All?

Answer 1

The functionality requested at the permission level desired is not possible. If you look at the documentation for Graph REST API endpoints, you will notice a permission table revealing what permissions are necessary to access that specific endpoint.

The beta version you are attempting to use is deprecated and lists warnings. I recommend using the v1.0 API that has a lot more reliability and usability.

The v1.0 endpoint for searching files lists the below permission required:

https://learn.microsoft.com/en-us/graph/api/driveitem-search?view=graph-rest-1.0&tabs=http