SharePoint API permissions troubleshooting
This document will take you through the steps for fixing any problems you may encounter when activating the SharePoint API permissions required by DocRead.
You must be a Global Administrator in Microsoft Entra ID to complete these steps.
Introduction
When approving API permissions on the SharePoint API Access page in the SharePoint admin center, we are granting these permissions to the SharePoint Online Client Extensibility Web Application Principal in Microsoft Entra ID.
Unfortunately, there are several widely reported issues with the Microsoft API Access page where, under some circumstances, the page fails to update the principal permissions. This document will take you through the steps of updating the permissions directly on the SharePoint Online Client Extensibility Web Application Principal in Microsoft Entra ID.
Once you have completed the steps, you will be able to confirm that the permissions have been successfully applied by checking that they are displaying as approved on the API Access page.
Check existing permissions
-
Go to the “App Registrations” page in “Microsoft Entra ID”.
-
Under “All Applications” type “SharePoint” in the search box.
-
Select the SharePoint Online Client Extensibility Web Application Principal.
- Select “API permissions” on the left.
-
Check if the following three permissions are listed and are showing as granted
You may have other permissions listed that will not need to be changed.
- If all the permissions are correctly displayed as shown above, then there is nothing to fix. If some of the permissions are missing or not showing as granted, then use the sections below to correct the problem.
Add missing permissions
This section will guide you on how to add the missing permissions. Please choose the section that is relevant to your situation:
- Add missing DocReadApi/access_as_user permission
- Add missing Microsoft Graph/User.Read.All permission
- Add missing Microsoft Graph/Group.Read.All permission
- Grant admin consent for not-granted permissions
Add missing DocReadApi/access_as_user permission
- Click on the “Add a permission” option:
- Select “APIs my organization uses”.
- In the filter box type “docread”.
- Select “DocReadApi”
- Select the “access_as_user” permission and click “Add permissions”.
- On the permissions list page, click “Grant consent for xxxxx” (where xxxxx is your tenant’s name).
- The permission should now be shown as granted:
Add missing Microsoft Graph/User.Read.All permission
- Click on the “Add a permission” option:
- Under Microsoft APIs select “Microsoft Graph”:
- Select “Delegated permissions”,
- In the search box type “user.read.all”. Under the permissions list select “User.Read.All” and click the “Add Permissions” button:
- On the permissions list page, click “Grant consent for xxxxx” (where xxxxx is your tenant’s name).
- The permission should now be shown as granted:
Add missing Microsoft Graph/Group.Read.All permission
- Click on the “Add a permission” option:
- Under Microsoft APIs select “Microsoft Graph”:
- Select “Delegated permissions”,
- In the search box type “group.read.all”. Under the permissions list select “Group.Read.All” and click the “Add Permissions” button:
- On the permissions list page, click “Grant consent for xxxxx” (where xxxxx is your tenant’s name).
- The permission should now be shown as granted:
Grant admin consent for not-granted permissions
If any (or all) of the required permissions listed in the “Check existing permissions” section, are showing as not granted, as in the example below, then click the “Grant consent for xxxxx” (where xxxxx is your tenant’s name) button.