• Before you get started
• Groups
• Getting groups
• Select while getting groups
• Filter while getting groups
• Reading the members of a group
• Creating a new group
• Adding users or groups to a SPO group
• Removing users or groups from a SPO group
• Permissions
• Reading current permissions on an item (or list)
• Breaking permission inheritance
• Resetting Permissions on an item or file
• Granting access to an item or file
• Removing access to an item or file
• Ensure user
• Role definitions
• Getting a users effective permissions in a list
• Get associated default site groups
• Changelog

Before you get started

• Responses directly from the REST API look different from the built-in connector responses. You will need to parse the responses from that action either by parsing manually or with a “Parse JSON” action. Take your time to understand the response schema.
Copy

//object outputs (where the action only returns one thing)
body('YOURACTION')?['d']
//array outputs (where the action returns a list of results)
body('YOURACTION')?['d']?['results']

• Read more about the REST API
• https://learn.microsoft.com/en-us/previous-versions/office/developer/sharepoint-rest-reference/dn531432(v=office.15)

Groups

Getting groups

This will really only show you the SPO Groups of the specified site collection.

Select while getting groups

You might only want certain information for your groups to make working with the output more easy. In this case I am getting the Title and the Id of the group.

Method: GET
Uri: _api/web/sitegroups?$select=Title,Id
Headers:
{
 "Accept": "application/json; odata=verbose",
 "Content-Type": "application/json; odata=verbose"
}

Filter while getting groups

This query will filter all groups with the Title of “MY SPO GROUP”

Method: GET
Uri: 
//filtering based on the groups title
_api/web/sitegroups?$filter=Title eq 'MY SPO GROUP'
//with startswith()
_api/web/sitegroups?$filter=startswith(Title,'ONB_')
Headers:
{
 "Accept": "application/json; odata=verbose",
 "Content-Type": "application/json; odata=verbose"
}

Reading the members of a group

You will need the Id of the group. Which you will get either with the queries above or by navigating to the group in SharePoint and copying the MembershipGroupId or use the getByName to query for the name.

Method: GET
Uri:
//return all group members with the groups id
_api/web/sitegroups(ID)/users
//return all group members with the groups name
_api/web/SiteGroups/getByName('MY SPO GROUP')/users
//LoginName represents a specific schema for a user or group
_api/web/sitegroups(ID)/users?$select=LoginName,Email,Id

Creating a new group

Method: POST
Uri: _api/web/sitegroups
Headers: 
{
  "accept": "application/json;odata=verbose",
  "content-type": "application/json;odata=verbose"
}
Body:
{    
"__metadata": {    
"type":"SP.Group"    
},    
"Title": "FlowGroup",    
"Description":"Group created from flow"    
}

Adding users or groups to a SPO group

Notice the special format for users….the only thing changing is the E-Mail at the end of the Login Name. “i:0#.f|membership|” stays the same.

Notice the special format for groups. For Entra security groups use “c:0t.c|tenant|”, for Microsoft 365 groups (Teams) “c:0o.c|federateddirectoryclaimprovider|”.

Method: POST
Uri: _api/web/sitegroups(ID)/users
Headers:
{
 "Accept": "application/json; odata=verbose",
 "Content-Type": "application/json; odata=verbose"
}
Body:
{
   "__metadata": {
   "type":"SP.User"
   },
"LoginName":"i:0#.f|membership|Email@example.com"
}

Removing users or groups from a SPO group

Method: POST
Uri: 
_api/web/sitegroups(ID)/users/getbyId(2)
_api/web/sitegroups(ID)/users/getbyEmail('Email of Person Group')
Headers:
{
  "Accept": "application/json; odata=verbose",
  "Content-Type": "application/json; odata=verbose",
  "IF-MATCH": "*",
  "X-HTTP-Method": "DELETE"
}

Permissions

Permissions in SharePoint are usually inherited by the parent object. You can set permissions at multiple levels:

1. Site Collection
2. List or Library
3. Item / File
4. List Advanced Settings (to allow users to create items and only read and edit the ones they created.

Reading current permissions on an item (or list)

Method: POST
//LIST
Uri: _api/web/lists('LIST GUID')/roleassignments?$expand=Member,RoleDefinitionBindings
//ITEM
Uri: _api/web/lists('LIST GUID')/items(ID)/roleassignments
Headers:
{
 "Accept": "application/json; odata=verbose",
 "Content-Type": "application/json; odata=verbose"
}

Breaking permission inheritance

Method: POST
Uri: _api/web/lists('LIST GUID')/items(ID)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)
Headers:
{
 "Accept": "application/json; odata=verbose",
 "Content-Type": "application/json; odata=verbose"
}

copyRoleAssignments: Keeps the assigned permissions groups and people after breaking inheritance. If set to false, the item or file will have no permissions (except owners and site collection administrators)

clearSubscopes: This will clear any subobject permissions as well. For files and items this does not do much. Keep it there anyways.

Resetting Permissions on an item or file

After breaking permissions you might want to go back to the inherited permissions. The item or file will then inherit the permissions of the parent container (folder, library or list).

Method: POST
Uri: _api/web/lists('LIST GUID')/items(ID)/ResetRoleInheritance()
Headers:
{
 "Accept": "application/json; odata=verbose",
 "Content-Type": "application/json; odata=verbose"
}

Granting access to an item or file

The principalid is a unique Id per site collection for a user or group. You can find them in the users and groups interface in SharePoint or with reading the sitegroups or their members as mentioned above.

The roledefid decsribes the level of permissions given to that group or user for that item or file. You can find the roledefid in the user and group interface under permission levels or use the most common ones:

If you use custom permission levels, they will also have an id which you can find in the users and groups interface.

Method: POST
Uri: _api/web/lists('LIST GUID')/items(ID)/roleassignments/addroleassignment(principalid=USER or GROUPID,roledefid=Id)
Headers:
{
 "Accept": "application/json; odata=verbose",
 "Content-Type": "application/json; odata=verbose"
}

Removing access to an item or file

Method: POST
Uri: _api/web/lists('LIST GUID')/items(ID)/roleassignments/removeroleassignment(principalid=USER or GROUPID)
Headers:
{
 "Accept": "application/json; odata=verbose",
 "Content-Type": "application/json; odata=verbose"
}

Ensure user

If you are working with the REST API, you will notice that you sometimes need the ID of a user or group object to assign permissions. You can use the ensureuser endpoint to make the user or group available to your site collection and in return get an ID.

For users pass the email, for groups either pass the group display name or the group id (for security groups: c:0t.c|tenant|GROUPID and for office 365 groups: c:0o.c|federateddirectoryclaimprovider|GROUP-ID)

Method: POST
Uri: _api/web/ensureUser('user@domain.de')
Headers:
{
 "Accept": "application/json; odata=verbose",
 "Content-Type": "application/json; odata=verbose"
}

Output:
body('Send_an_HTTP_request_to_SharePoint')?['d/Id']
body('Send_an_HTTP_request_to_SharePoint')?['d/LoginName']

Role definitions

api/web/roledefinitions?$filter=startswith(Name,'ONB')

_api/web/roledefinitions(@{item()?['Id']})

Getting a users effective permissions in a list

The effectivepermissions endpoint will return the high and low permission bits. With the result formula you can check for the add permission bit in the low part the api result.

Get associated default site groups

Owners, Members and Visitors

Mehtod: GET
Uri: _api/web?$expand=AssociatedOwnerGroup,AssociatedMemberGroup,AssociatedVisitorGroup
Headers:
{
 "Accept": "application/json; odata=verbose",
 "Content-Type": "application/json; odata=verbose"
}

Changelog