How to Access SharePoint REST API Using Azure AD App (Client ID & Secret) with Sites.FullControl Permission?

Question

How to Access SharePoint REST API Using Azure AD App (Client ID & Secret) with Sites.FullControl Permission?

Aravind 0

I’m trying to use the SharePoint REST API (_api) to retrieve site permissions, site groups, and identify site owners for SharePoint sites that are not group-connected.

I’ve registered an Azure AD app and granted SharePoint API permissions with Sites.FullControl.All. I’m using the app’s client ID and client secret to acquire an access token, but when I call the REST API, I get the error:

Unsupported app only token.

I cannot use Microsoft Graph because it doesn’t provide an endpoint for this scenario. My goal is to integrate with ServiceNow to fetch site owners for non-group-connected sites.

Questions:

Is it possible to use SharePoint REST API with an app-only token for this purpose?
If yes, what is the correct approach or configuration to make this work?
If not, what alternatives exist for retrieving site owners for non-group-connected sites?

Endpoints we tried / plan to use:

/_api/web/sitegroups → Lists all site groups.
/_api/web/roleassignments → Shows role assignments for groups and users.
/_api/web/roleassignments?$expand=Member,RoleDefinitionBindings → To get detailed permissions.

Goal:

Identify site owners for non-group-connected sites.
Integrate this data with ServiceNow.

Any guidance or examples would be greatly appreciated.

2 answers

Your answer

Answer 1

Yes, it is possible to use the SharePoint REST API with an app-only token for your purpose, but there are specific configurations and permissions that must be in place to avoid the "Unsupported app only token" error.

Steps to Access SharePoint REST API Using Azure AD App:

Ensure Correct Permissions: Make sure that your Azure AD app has been granted the Sites.FullControl.All permission. This permission allows the app to have full control over all site collections without a signed-in user.
Grant Admin Consent: After assigning the permissions, ensure that admin consent is granted for the permissions. This is crucial for app-only access.

Acquire Access Token: Use the client ID and client secret to acquire an access token. Make sure you are requesting the token for the SharePoint resource. The token request should look something like this:

   POST https://accounts.accesscontrol.windows.net/{tenant_id}/tokens/OAuth/2
   Content-Type: application/x-www-form-urlencoded
   
   grant_type=client_credentials
   &client_id={client_id}
   &client_secret={client_secret}
   &resource=https://{your_tenant}.sharepoint.com/

Call the SharePoint REST API: Once you have the access token, include it in the Authorization header when making requests to the SharePoint REST API. For example:
```
   GET https://{your_tenant}.sharepoint.com/_api/web/sitegroups
   Authorization: Bearer {access_token}
```

Common Endpoints to Use:

/_api/web/sitegroups to list all site groups.
/_api/web/roleassignments to show role assignments for groups and users.
/_api/web/roleassignments?$expand=Member,RoleDefinitionBindings to get detailed permissions.

Troubleshooting Tips:

If you still encounter the "Unsupported app only token" error, double-check that the permissions are correctly set and that admin consent has been granted.
Ensure that the app is not trying to access resources that require user context, as app-only tokens cannot impersonate users.

Alternatives:

If the above approach does not work, consider using Microsoft Graph API for other scenarios, but since you mentioned it does not cover your specific needs, you may need to rely on SharePoint REST API and ensure all permissions are correctly configured.

References:

Aravind 0 Reputation points

2025-11-24T13:13:52.67+00:00

AI generated solution is not working. any alternative solution approach please

Answer 2

Jayden-P 12,230 Microsoft External Staff Moderator

Hi @Aravindmunna

Thank you for posting your question in the Microsoft Q&A forum.

Based on my research, yes, you can call SharePoint Online REST (_api) with an app‑only token and read site groups/role assignments to identify owners for non‑group‑connected sites.

Double check if you have this property disabled, make sure it is set to false.

Connect-SPOService -Url https://<tenant>-admin.sharepoint.com 
Set-SPOTenant -DisableCustomAppAuthentication $false

I have done some further research; here is what I found.

You can try using SharePoint PowerShell with -GroupIdDefined. If the property returns true, it is connected to a M365 group.

Get-SPOSite (Microsoft.Online.SharePoint.PowerShell) | Microsoft Learn

I hope this information helps.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Aravind 0 Reputation points

2025-11-24T17:26:15.5066667+00:00

@Jayden-P Thank you for the reply.

Set-SPOTenant -DisableCustomAppAuthentication $false command is not working for new tenants.

Tried other options to use the token for access "_api/sitegroups" providing the client id and client secret with below api permissions still getting Unsupported app only token.
Jayden-P 12,230 Reputation points Microsoft External Staff Moderator

2025-11-25T07:17:35.5333333+00:00

Hi @Aravindmunna

Since your tenant is created after November 1st, 2024, you can no longer turn on this.

With out ACS, your app won't be able to make a call.

Another approach for this is to create an application which has Sites.FullControl.All permission for Graph API, then you get an App Only AccessToken with this Application’s identity, and you can make above call with Authorization Header, the value is “Bearer {tokenvalue}”.

Make sure you have chosen SharePoint Sites.Selected Application permission, you can use SharePoint Rest API or CSOM to access the site.

Note: For SharePoint APIs, you cannot use just client secret to do the authentication, you have to setup certificate to gain Access Token.

Please read here for more details: Develop Applications that use Sites.Selected permissions for SPO sites. | Microsoft Community Hub
Jayden-P 12,230 Reputation points Microsoft External Staff Moderator

2025-11-26T14:12:16.8366667+00:00

Hi @Aravind

Have you checked the provided answer?

Is there anything you need help with?
Aravind 0 Reputation points

2025-11-27T11:37:06.7466667+00:00

@Jayden-P Thanks for the follow up. I need to check the approach suggested. will keep you posted on the update. Thanks.
Jayden-P 12,230 Reputation points Microsoft External Staff Moderator

2025-11-27T11:39:03.8566667+00:00

Hi @Aravind

Please take your time.

If you need anything else, please feel free to ask me.
Jack-Bu 5,405 Reputation points Microsoft External Staff Moderator

2025-12-05T11:38:52.6566667+00:00

Hello Aravind

It’s been a while since we last heard from you. Just checking in to see if you had a chance to try the steps suggested by Jayden. We hope they resolved your concern.

If you need further assistance or clarification, feel free to reach out anytime.

If this discussion was helpful, you could consider mark the thread as accepted by clicking “Accept the answer.” Doing so helps others with similar issues and strengthens our community.

Share via

How to Access SharePoint REST API Using Azure AD App (Client ID & Secret) with Sites.FullControl Permission?

Endpoints we tried / plan to use:

Goal:

2 answers

Steps to Access SharePoint REST API Using Azure AD App:

Common Endpoints to Use:

Troubleshooting Tips:

Alternatives:

Your answer