# API Permissions (Registered Application)
Reference for the Azure AD (Entra ID) app registration permissions required by the provisioning service when using app-only authentication. Required permissions depend on which features are enabled — grant only the permissions needed for the features in use.
All permissions below are Application permissions (not Delegated) and require admin consent.
# Document libraries
- Microsoft Graph:
Sites.Selected - SharePoint (certificate authentication):
Sites.Selected
# Site collections (standard CSOM creation)
- Microsoft Graph:
Sites.FullControl.All,TermStore.ReadWrite.All - SharePoint (certificate authentication):
Sites.FullControl.All,TermStore.ReadWrite.All
# Site collections via Graph (UseGraphSiteCreation)
Used when UseGraphSiteCreation is enabled on a SiteCollectionCfg, to reduce the permission footprint versus the standard CSOM path above — no tenant-wide Sites.FullControl.All is required.
- Microsoft Graph:
Sites.Create.All,Sites.Selected,TermStore.ReadWrite.All
Sites.Create.All alone is not sufficient: it only allows creating the site collection. Sites.Selected is also required for the provisioning service to make further changes to the site after creation. When a site is created via Graph, the app is automatically granted access to that site under Sites.Selected, so no manual per-site grant is needed for sites created this way.
For SharePoint REST/CSOM operations or site-level permission grants on a specific site (rather than through Graph), the SharePoint-side resource-specific permission (RSP) equivalent is site.selected.
# Office 365 Groups
- Microsoft Graph:
Group.ReadWrite.All,Sites.FullControl.All,TermStore.ReadWrite.All,User.Read.All - SharePoint (certificate authentication):
Sites.FullControl.All,TermStore.ReadWrite.All
# Teams
Same as Office 365 Groups, plus:
- Microsoft Graph:
Team.Create
Additional Team permissions might be needed depending on the Teams features used.
- SharePoint (certificate authentication):
Sites.FullControl.All,TermStore.ReadWrite.All
# Granting permissions in Azure
In the app registration's API permissions page:
- Click + Add a permission.
- Click Microsoft Graph.
- Click Application permissions.
- Search for the required permission, select its checkbox, then click Add permissions. Repeat for each permission needed.
- Click Grant admin consent for <tenant> after adding the permissions.
# Related
- Authentication — configuring app-only authentication with the registered application's client ID and secret/certificate
- Site Collection Configuration —
UseGraphSiteCreationsetting