New Graph API for SharePoint Online Administration

SharePoint Admin API Supports Graph-Based Administration

On May 8, Microsoft announced the availability of the SharePoint Admin Graph API to give developers and administrators access to tenant-wide settings for SharePoint Online and OneDrive for Business. The settings accessible through the API include a small subset of the controls that can be set using the Set-SPOTenant cmdlet from the SharePoint Online administration module along with some other settings that aren’t available to the cmdlet. For instance, the imageTaggingOption setting controls the Syntex image tagging option for the tenant (see message center notification MC551018, Microsoft 365 roadmap item 88715).

Because it only covers tenant-wide settings, this API is emphatically not a replacement for Microsoft’s SharePoint PowerShell module or the PnP PowerShell module. Nevertheless, it is a start on the process of moving SharePoint Online to the common Graph platform. With that thought in mind, let’s see how to use the API.

API Requirements

Two basic requirements must be met to run the SharePoint Admin API:

  • The app must have consent for the SharePointTenantSettings.ReadWrite.All permission. For instance, to run the API with the Graph Explorer, you must obtain administrator consent to use the SharePointTenantSettings.ReadWrite.All permission (Figure 1).
  • The signed-in user must belong to either the Global Administrator or SharePoint Administrator roles.

 Assigning the permission to use the SharePoint Admin API to the Graph Explorer
Figure 1: Assigning the permission to use the SharePoint Admin API to the Graph Explorer

Here’s an example of signing into the Microsoft Graph PowerShell SDK with the required permission and running the Invoke-MgGraphRequest cmdlet to fetch the set of tenant-wide settings supported by the API:

Connect-MgGraph -Scopes SharePointTenantSettings.ReadWrite.All
$Uri = "https://graph.microsoft.com/v1.0/admin/sharepoint/settings"
Invoke-MgGraphRequest -Uri $Uri

Name                           Value
----                           -----
imageTaggingOption             basic
isUnmanagedSyncAppForTenant... False
isMacSyncAppEnabled            True
isRequireAcceptingUserToMat... True
isSharePointMobileNotificat... True
idleSessionSignOut             {isEnabled, warnAfterInSeconds, signOutAfterInSeconds}
sharingBlockedDomainList       {Gmail.com}
personalSiteDefaultStorageL... 5242880
isCommentingOnSitePagesEnabled True
isSiteCreationEnabled          True
excludedFileExtensionsForSy... {*.exe, *.zip, *.rar, *.pst...}
@odata.context                 https://graph.microsoft.com/v1.0/$metadata#admin/sharepoint/settings/$entity
isFileActivityNotificationE... True
isSyncButtonHiddenOnPersona... False
isSharePointNewsfeedEnabled    False
sharingCapability              externalUserAndGuestSharing
sharingAllowedDomainList       {hotmail.com, live.com, locklan.com.au, Microsoft.com...}
availableManagedPathsForSit... {/sites/, /teams/}
isResharingByExternalUsersE... False
siteCreationDefaultManagedPath /sites/
deletedUserPersonalSiteRete... 60
allowedDomainGuidsForSyncApp   {}
isSiteCreationUIEnabled        True
isLegacyAuthProtocolsEnabled   True
siteCreationDefaultStorageL... 26214400
isSitesStorageLimitAutomatic   True
isSitePagesCreationEnabled     False
sharingDomainRestrictionMode   none
tenantDefaultTimezone          (UTC) Dublin, Edinburgh, Lisbon, London
isLoopEnabled                  True

The other option for SharePoint tenant settings is to update one of the supported settings. For example, here’s how to update the isLoopEnabled setting (required to allow Teams to use Loop components) by specifying the new value in a hash table and running a PATCH update against the API:

Invoke-mggraphrequest -uri $uri
$Settings = @{
   "isLoopEnabled" = $false }
Invoke-mggraphrequest -uri $uri -Method PATCH -Body $Settings

The API responds by listing the new settings.

Next Step Exchange?

Now that SharePoint Online has started to support a Graph API for tenant-wide settings, perhaps the next step is for Microsoft to create a Graph API for Exchange Online tenant-wide settings. The focus for automation in the Exchange development group has been twofold:

  • Move away from Exchange Web Services (EWS). Microsoft deprecated 25 EWS APIs on March 31, 2022. Given the strategic direction to embrace Graph APIs whenever possible and move away from “legacy” APIs, it seems logical that Microsoft will terminate support for EWS in the future.
  • Move PowerShell away from basic authentication and Remote PowerShell sessions. The process is well underway and will complete later this year.

The big issue for developers is that the Graph/PowerShell combination can still not do everything that’s possible in EWS. To move, developers need comparable functionality, especially in terms of an API to perform management operations. These aren’t as important in the cloud because Microsoft takes care of server management, but configuration of Exchange Online tenant settings is definitely desirable.


Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

2 Replies to “New Graph API for SharePoint Online Administration”

  1. Is it still possible to access SharePoint online module in PowerShell using basic Auth i.e, using username and password

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.