I'm trying to find all users that are permitted to access a site in SharePoint Online.
I can do that via the SharePoint REST API using the following request:
https://<tenant>.sharepoint.com/sites/<site>/_api/web/RoleAssignments?$expand=Member/Users,RoleDefinitionBindings
The response contains some hidden technical accounts, users that have been granted permissions explicitly, and the default SharePoint site groups for members and owners. The SharePoint site member group is presented with the following LoginName:
c:0o.c|federateddirectoryclaimprovider|<UUID>
Where <UUID>
is the id of an Azure group. I can then resolve its members using the Graph API. However, there is a user missing here that is listed in the SharePoint UI as an owner of the site.
The SharePoint site owner group, however, is presented with the following LoginName:
c:0o.c|federateddirectoryclaimprovider|<UUID>_o
Where <UUID>
is the exact same id as before. So I can't resolve its members using the Graph API as the UUID gives me the member group and the UUID including the suffix is an invalid group identifier.
Furthermore, the SharePoint REST API seems to treat this owner group (as well as the member group) like a user rather than a group, so I couldn't find a way to resolve its members using this API either.
So how can I resolve the actual users that are owners of a site?
Thank you very much!
The solution is described here: https://learn.microsoft.com/en-us/sharepoint/modern-experience-sharing-permissions#team-site-permissions-and-office-365-groups
When you add owners or members to the Microsoft 365 group, they're given access to the SharePoint site along with the other group-connected services. Group owners become site owners, and group members become site members.
Which means you can retrieve the site owners with the following request:
https://graph.microsoft.com/v1.0/groups/<UUID>/owners