You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In certain scenario's the command spo list list throws an access denied error:
App Only authenticated with Sites.Manage.All scope. (It does work correct with Sites.FullControl.All)
With a regular user (no SharePoint admin), being a member on a site, using scope AllSites.FullControl or AllSites.Manage.
I already found the probable culprit in the code:
The code calls the REST url /_api/web/lists?$expand=RootFolder.
If I remove the $expand, the calls come through without access denieds.
If I add a $select=RootFolder/ServerRelativeUrl,* statement, the calls come through as well.
It apparently tries to expand too much for the permissions of the user/app.
The solution seems to be to add the mentioned $select statement.
Everything is returned including the necessary ServerRelativeUrl.
Steps to reproduce
Try to run m365 spo list list --webUrl someurl with the above situations.
Description
In certain scenario's the command
spo list list
throws an access denied error:I already found the probable culprit in the code:
The code calls the REST url
/_api/web/lists?$expand=RootFolder
.If I remove the $expand, the calls come through without access denieds.
If I add a
$select=RootFolder/ServerRelativeUrl,*
statement, the calls come through as well.It apparently tries to expand too much for the permissions of the user/app.
The solution seems to be to add the mentioned
$select
statement.Everything is returned including the necessary ServerRelativeUrl.
Steps to reproduce
Try to run
m365 spo list list --webUrl someurl
with the above situations.Expected results
A list of lists is shown
Actual results
Access denied is thrown
Diagnostics
No response
CLI for Microsoft 365 version
5.3.0
nodejs version
16.15.0
Operating system (environment)
Windows
Shell
Windows PowerShell
cli doctor
{
"os": {
"platform": "win32",
"version": "Windows 10 Enterprise",
"release": "10.0.22000"
},
"cliVersion": "5.3.0",
"nodeVersion": "v16.15.0",
"cliAadAppId": "31359c7f-bd7e-475c-86db-fdb8c937548e",
"cliAadAppTenant": "common",
"authMode": "DeviceCode",
"cliEnvironment": "",
"cliConfig": {},
"roles": [],
"scopes": [
"AllSites.FullControl",
"AppCatalog.ReadWrite.All",
"AuditLog.Read.All",
"ChannelMember.ReadWrite.All",
"ChannelMessage.Read.All",
"ChannelMessage.Send",
"ChannelSettings.ReadWrite.All",
"Chat.Read",
"Chat.ReadWrite",
"Directory.AccessAsUser.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityProvider.ReadWrite.All",
"Mail.ReadWrite",
"Mail.Send",
"Place.Read.All",
"Policy.Read.All",
"Reports.Read.All",
"SecurityEvents.Read.All",
"ServiceHealth.Read.All",
"ServiceMessage.Read.All",
"ServiceMessageViewpoint.Write",
"Tasks.ReadWrite",
"Team.Create",
"TeamMember.ReadWrite.All",
"TeamsApp.ReadWrite.All",
"TeamsAppInstallation.ReadWriteForUser",
"TeamSettings.ReadWrite.All",
"TeamsTab.ReadWrite.All",
"TermStore.ReadWrite.All",
"User.Invite.All",
"User.ReadWrite.All",
"profile",
"openid",
"email",
"AllSites.FullControl",
"AppCatalog.ReadWrite.All",
"AuditLog.Read.All",
"ChannelMember.ReadWrite.All",
"ChannelMessage.Read.All",
"ChannelMessage.Send",
"ChannelSettings.ReadWrite.All",
"Chat.Read",
"Chat.ReadWrite",
"Directory.AccessAsUser.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityProvider.ReadWrite.All",
"Mail.ReadWrite",
"Mail.Send",
"Place.Read.All",
"Policy.Read.All",
"Reports.Read.All",
"SecurityEvents.Read.All",
"ServiceHealth.Read.All",
"ServiceMessage.Read.All",
"ServiceMessageViewpoint.Write",
"Tasks.ReadWrite",
"Team.Create",
"TeamMember.ReadWrite.All",
"TeamsApp.ReadWrite.All",
"TeamsAppInstallation.ReadWriteForUser",
"TeamSettings.ReadWrite.All",
"TeamsTab.ReadWrite.All",
"TermStore.ReadWrite.All",
"User.Invite.All",
"User.ReadWrite.All"
]
}
Additional Info
No response
The text was updated successfully, but these errors were encountered: