Request for Assistance with Least Privileged Permissions for SharePoint Migration and Group Management APIs (Production Impact)

[piyush-oleria]

What type of issue is this?

Documentation issue / typo

What SharePoint development model, framework, SDK or API is this about?

SharePoint REST API

Target SharePoint environment

SharePoint Online

What browser(s) / client(s) have you tested

• 💥 Internet Explorer
• 💥 Microsoft Edge
• 💥 Google Chrome
• 💥 FireFox
• 💥 Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

• browser version
• SPFx version
• Node.js version
• etc

Issue description

We are currently facing a production failure due to insufficient or incorrect permissions when calling the following SharePoint APIs:

1. Provisioning container and queue (Migration API)
   Documentation: https://learn.microsoft.com/en-us/sharepoint/dev/apis/migration-azure
   This includes creating Azure Storage containers and queues for SharePoint migration.

2. CreateSPAsyncReadJob and CreateSPAsyncReadJobWithMultiUrl (Export/AMR API)
   Documentation: https://learn.microsoft.com/en-us/sharepoint/dev/apis/export-amr-api
   These endpoints initiate asynchronous read jobs for exporting content metadata from SharePoint.

3. Get users for custom groups within a SharePoint site
   Endpoint example:
   https://{siteHostName}/.default/siteBaseUrl/_api/web/SiteGroups/GetById(id={sharepointGroupId})?$expand=Users&$select=Id,Users
   This fetches user membership within a particular SharePoint group.

We have already tried granting Sites.ManageAll permissions to our application; however, this does not appear to enable all the required operations. We are seeking guidance on the least privileged permissions (scope or role) needed for our Azure AD application to successfully call these APIs without over-provisioning unnecessary privileges.

Because this issue is causing a production outage, we would appreciate an expedited response and any recommended alternative methods for accomplishing these tasks if the documented permissions are not sufficient.

Please also suggest if there are more suitable or documented methods to perform these actions of getting content metadata in bulk.

[gretchunkim]

Have you opened a ticket with Microsoft through the Microsoft 365 admin center? I suggest opening a ticket with the highest priority or impact to ensure a quick response from them.

[piyush-oleria]

Yes, I did, they said they do not have this information. They gave me this link to create a request here.

This was the exact response for the exact same ticket created via Microsoft 365 admin center:

Hi,
 
Here is a link where the support that you need from regarding Least Privileged Permissions for SharePoint Migration and Group Management APIs (Production Impact). [Support and Feedback | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/dev/support-feedback)

[gretchunkim]

There are over 900 open issues in the repository. Unfortunately, it will be like finding a needle in a haystack to get you needed resolution for your question. I'm assuming that there is no dev tenant for you to even just test it out...