# API Permissions (Registered Application)

Reference for the Azure AD (Entra ID) app registration permissions required by the provisioning service when using app-only authentication. Required permissions depend on which features are enabled — grant only the permissions needed for the features in use.

All permissions below are Application permissions (not Delegated) and require admin consent.

# Document libraries

  • Microsoft Graph: Sites.Selected
  • SharePoint (certificate authentication): Sites.Selected

# Site collections (standard CSOM creation)

  • Microsoft Graph: Sites.FullControl.All, TermStore.ReadWrite.All
  • SharePoint (certificate authentication): Sites.FullControl.All, TermStore.ReadWrite.All

# Site collections via Graph (UseGraphSiteCreation)

Used when UseGraphSiteCreation is enabled on a SiteCollectionCfg, to reduce the permission footprint versus the standard CSOM path above — no tenant-wide Sites.FullControl.All is required.

  • Microsoft Graph: Sites.Create.All, Sites.Selected, TermStore.ReadWrite.All

Sites.Create.All alone is not sufficient: it only allows creating the site collection. Sites.Selected is also required for the provisioning service to make further changes to the site after creation. When a site is created via Graph, the app is automatically granted access to that site under Sites.Selected, so no manual per-site grant is needed for sites created this way.

For SharePoint REST/CSOM operations or site-level permission grants on a specific site (rather than through Graph), the SharePoint-side resource-specific permission (RSP) equivalent is site.selected.

# Office 365 Groups

  • Microsoft Graph: Group.ReadWrite.All, Sites.FullControl.All, TermStore.ReadWrite.All, User.Read.All
  • SharePoint (certificate authentication): Sites.FullControl.All, TermStore.ReadWrite.All

# Teams

Same as Office 365 Groups, plus:

  • Microsoft Graph: Team.Create

Additional Team permissions might be needed depending on the Teams features used.

  • SharePoint (certificate authentication): Sites.FullControl.All, TermStore.ReadWrite.All

# Granting permissions in Azure

In the app registration's API permissions page:

  1. Click + Add a permission.
  2. Click Microsoft Graph.
  3. Click Application permissions.
  4. Search for the required permission, select its checkbox, then click Add permissions. Repeat for each permission needed.
  5. Click Grant admin consent for <tenant> after adding the permissions.
Last Updated: 7/7/2026, 1:48:24 PM