- Before you get started
- Groups
- Getting groups
- Select while getting groups
- Filter while getting groups
- Reading the members of a group
- Creating a new group
- Adding users or groups to a SPO group
- Removing users or groups from a SPO group
- Permissions
- Reading current permissions on an item
- Getting files or item that have unique permissions
- Breaking permission inheritance
- Resetting Permissions on an item or file
- Granting access to an item or file
- Ensure user
- Role definitions
Before you get started
- Responses directly from the REST API look different from the built-in connector responses. You will need to parse the responses from that action either by parsing manually or with a “Parse JSON” action. Take your time to understand the response schema.
- Read more about the REST API
//object outputs (where the action only returns one thing)
body('YOURACTION')?['d']
//array outputs (where the action returns a list of results)
body('YOURACTION')?['d']?['results']Groups
Getting groups
This will really only show you the SPO Groups of the specified site collection.
Method: GET
//This gets all groups
Uri: _api/web/sitegroups
//This gets one group based on its title
Uri: _api/web/SiteGroups/getByName('MY SPO GROUP')
Headers:
{
"Accept": "application/json; odata=verbose",
"Content-Type": "application/json; odata=verbose"
}Select while getting groups
You might only want certain information for your groups to make working with the output more easy. In this case I am getting the Title and the Id of the group.
Method: GET
Uri: _api/web/sitegroups?$select=Title,Id
Headers:
{
"Accept": "application/json; odata=verbose",
"Content-Type": "application/json; odata=verbose"
}Filter while getting groups
This query will filter all groups with the Title of “MY SPO GROUP”
Method: GET
Uri:
//filtering based on the groups title
_api/web/sitegroups?$filter=Title eq 'MY SPO GROUP'
//with startswith()
_api/web/sitegroups?$filter=startswith(Title,'ONB_')
Headers:
{
"Accept": "application/json; odata=verbose",
"Content-Type": "application/json; odata=verbose"
}Reading the members of a group
You will need the Id of the group. Which you will get either with the queries above or by navigating to the group in SharePoint and copying the MembershipGroupId or use the getByName to query for the name.
Method: GET
Uri:
//return all group members with the groups id
_api/web/sitegroups(ID)/users
//return all group members with the groups name
_api/web/SiteGroups/getByName('MY SPO GROUP')/users
//LoginName represents a specific schema for a user or group
_api/web/sitegroups(ID)/users?$select=LoginName,Email,IdCreating a new group
Method: POST
Uri: _api/web/sitegroups
Headers:
{
"accept": "application/json;odata=verbose",
"content-type": "application/json;odata=verbose"
}
Body:
{
"__metadata": {
"type":"SP.Group"
},
"Title": "FlowGroup",
"Description":"Group created from flow"
}Adding users or groups to a SPO group
Notice the special format for users….the only thing changing is the E-Mail at the end of the Login Name. “i:0#.f|membership|” stays the same.
Notice the special format for groups. For Entra security groups use “c:0t.c|tenant|”, for Microsoft 365 groups (Teams) “c:0o.c|federateddirectoryclaimprovider|”.
Method: POST
Uri: _api/web/sitegroups(ID)/users
Headers:
{
"Accept": "application/json; odata=verbose",
"Content-Type": "application/json; odata=verbose"
}
Body:
{
"__metadata": {
"type":"SP.User"
},
"LoginName":"i:0#.f|membership|Email@example.com"
}Removing users or groups from a SPO group
Method: POST
Uri:
_api/web/sitegroups(ID)/users/getbyId(2)
_api/web/sitegroups(ID)/users/getbyEmail('Email of Person Group')
Headers:
{
"Accept": "application/json; odata=verbose",
"Content-Type": "application/json; odata=verbose",
"IF-MATCH": "*",
"X-HTTP-Method": "DELETE"
}Permissions
Reading current permissions on an item
Method: POST
Uri: _api/web/lists(guid'LIST GUID')/items(ID)/roleassignments
Headers:
{
"Accept": "application/json; odata=verbose",
"Content-Type": "application/json; odata=verbose"
}Getting files or item that have unique permissions
Whenever you break permissions on an item or file (see below) their HasUniqueRoleAssignments property is set to true. With this filter you can find all those documents (also possible inside SharePoint GUI)
Method: POST
Uri: _api/web/lists(guid'LIST GUID')/items?filter=HasUniqueRoleAssignments eq 'true'
Headers:
{
"Accept": "application/json; odata=verbose",
"Content-Type": "application/json; odata=verbose"
}Breaking permission inheritance
Method: POST
Uri: _api/web/lists('LIST GUID')/items(ID)/breakroleinheritance(copyRoleAssignments=false,clearSubscopes=true)
Headers:
{
"Accept": "application/json; odata=verbose",
"Content-Type": "application/json; odata=verbose"
}
copyRoleAssignments: Keeps the assigned permissions groups and people after breaking inheritance. If set to false, the item or file will have no permissions (except owners and site collection administrators)
clearSubscopes: This will clear any subobject permissions as well. For files and items this does not do much. Keep it there anyways.
Resetting Permissions on an item or file
After breaking permissions you might want to go back to the inherited permissions. The item or file will then inherit the permissions of the parent container (folder, library or list).
Method: POST
Uri: _api/web/lists('LIST GUID')/items(ID)/ResetRoleInheritance()
Headers:
{
"Accept": "application/json; odata=verbose",
"Content-Type": "application/json; odata=verbose"
}Granting access to an item or file
The principalid is a unique Id per site collection for a user or group. You can find them in the users and groups interface in SharePoint or with reading the sitegroups or their members as mentioned above.
The roledefid decsribes the level of permissions given to that group or user for that item or file. You can find the roledefid in the user and group interface under permission levels or use the most common ones:
Role Definition Name | Role Definition Id |
Full Control | 1073741829 |
Design | 1073741828 |
Edit | 1073741830 |
Contribute | 1073741827 |
Read | 1073741826 |
Limited Access | 1073741825 |
View Only | 1073741924 |
If you use custom permission levels, they will also have an id which you can find in the users and groups interface.
Method: POST
Uri: _api/web/lists('LIST GUID')/items(ID)/roleassignments/addroleassignment(principalid=USER or GROUPID,roledefid=Id)
Headers:
{
"Accept": "application/json; odata=verbose",
"Content-Type": "application/json; odata=verbose"
}Ensure user
If you are working with the REST API, you will notice that you sometimes need the ID of a user object to assign permissions. You can use the ensureuser endpoint to make the user available to your site collection and in return get an ID.
Method: POST
Uri: _api/web/ensureUser('user@domain.de')
Headers:
{
"Accept": "application/json; odata=verbose",
"Content-Type": "application/json; odata=verbose"
}
Output:
body('Send_an_HTTP_request_to_SharePoint')?['d/Id']Role definitions
api/web/roledefinitions?$filter=startswith(Name,'ONB')
_api/web/roledefinitions(@{item()?['Id']})
Method: POST
Uri: _api/web/roledefinitions
Headers:
{
"Accept": "application/json; odata=verbose",
"Content-Type": "application/json; odata=verbose"
}
{
'__metadata': { 'type': 'SP.RoleDefinition' },
'BasePermissions': { '__metadata': { 'type': 'SP.BasePermissions' }, 'High': '@{item()?['Settings']?['High']}', 'Low': '@{item()?['Settings']?['Low']}' },
'Description': '@{item()?['Name']}',
'Name': '@{item()?['Name']}',
'Order': 180
}