403 Error from Microsoft Graph - Search for sites API

[shashankpandey2]

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Describe the bug / error

The following Microsoft Graph endpoint, retrieves the App Catalog site data:

https://graph.microsoft.com/v1.0/sites?search={AppCatalog}
This request is now consistently failing with the following error:

Status: 403
StatusText: Forbidden

Steps to reproduce

1. https://learn.microsoft.com/en-us/graph/api/site-search?view=graph-rest-1.0&tabs=http

Refer the link - to hit the endpoint - https://graph.microsoft.com/v1.0/sites?search={AppCatalog}, getting the 403 error

Expected behavior

HTTP/1.1 200 OK
Content-type: application/json

{
"value": [
{
"id": "contoso.sharepoint.com,da60e844-ba1d-49bc-b4d4-d5e36bae9019,712a596e-90a1-49e3-9b48-bfa80bee8740",
"name": "Team A Site",
"description": "",
"createdDateTime": "2016-10-18T03:05:59Z",
"lastModifiedDateTime": "2016-10-18T10:40:59Z",
"webUrl": "https://contoso.sharepoint.com/sites/siteA"
},
{
"id": "contoso.sharepoint.com,da60e844-ba1d-49bc-b4d4-d5e36bae9019,0271110f-634f-4300-a841-3a8a2e851851",
"name": "Team B Site",
"description": "",
"createdDateTime": "2016-10-18T03:05:59Z",
"lastModifiedDateTime": "2016-10-18T10:40:59Z",
"webUrl": "https://contoso.sharepoint.com/sites/siteB"
}
]
}

[Ashlesha-MSFT]

Hello @shashankpandey2,
Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.

[Ashlesha-MSFT]

@shashankpandey2,
Could you please confirm if the necessary Microsoft Graph API permissions have been granted by you?

For this endpoint to work, the app typically needs one of the following Application permissions:

• Sites.Read.All
• Sites.ReadWrite.All
• Sites.FullControl.All

[shashankpandey2]

Hi @Ashlesha-MSFT
We were previously using the Sites.Manage.All application-level permission, which was functioning correctly for the following Microsoft Graph API endpoint:

https://graph.microsoft.com/v1.0/sites?search={AppCatalog}

This setup consistently returned a successful 200 OK response with the expected site metadata, such as:

{ "createdDateTime": "2018-07-02T21:17:31Z", "id": "testing.sharepoint.com,da60e844-ba1d-49bc-b4d4-d5e36bae9019,712a596e-90a1-49e3-9b48-bfa80bee8740", "name": "App Catalog", "webUrl": "https://testing.sharepoint.com/sites/AppCatalog", "displayName": "App Catalog", "isPersonalSite": false, "siteCollection": { "hostname": "testing.sharepoint.com" }, "root": {} }

But now this request is consistently failing with the following error:

Status: 403 StatusText: Forbidden

Please let me know if you need any further details or clarification regarding this.

[Ashlesha-MSFT]

Hi @shashankpandey2
Have you checked with
Application-level permission | Sites.Read.All | Sites.ReadWrite.All

As mentioned in document?

[shashankpandey2]

Hi @Ashlesha-MSFT
We currently have live customers using our Culture Cloud application (https://appsource.microsoft.com/en-us/product/office/WA200007925?tab=Overview) for this permission (Sites.Manage.All) in our Production environment. Modifying it would require all clients to reinstall the application, which could potentially disrupt their operations. Therefore, updating the permission is not a viable option at this time.

[Ashlesha-MSFT]

@shashankpandey2,
Thanks for the update,
Since this Graph API endpoint previously worked with Sites.Manage.All and now returns a 403 despite no changes on our side, we suspect a backend change.
We have logged this as a bug, and our engineering team will look into it.
Thank you for your patience!