SharePoint Admin API Supports Graph-Based Administration
On May 8, Microsoft announced the availability of the SharePoint Admin Graph API to give developers and administrators access to tenant-wide settings for SharePoint Online and OneDrive for Business. The settings accessible through the API include a small subset of the controls that can be set using the Set-SPOTenant cmdlet from the SharePoint Online administration module along with some other settings that aren’t available to the cmdlet. For instance, the imageTaggingOption setting controls the Syntex image tagging option for the tenant (see message center notification MC551018, Microsoft 365 roadmap item 88715).
Because it only covers tenant-wide settings, this API is emphatically not a replacement for Microsoft’s SharePoint PowerShell module or the PnP PowerShell module. Nevertheless, it is a start on the process of moving SharePoint Online to the common Graph platform. With that thought in mind, let’s see how to use the API.
API Requirements
Two basic requirements must be met to run the SharePoint Admin API:
- The app must have consent for the SharePointTenantSettings.ReadWrite.All permission. For instance, to run the API with the Graph Explorer, you must obtain administrator consent to use the SharePointTenantSettings.ReadWrite.All permission (Figure 1).
- The signed-in user must belong to either the Global Administrator or SharePoint Administrator roles.

Here’s an example of signing into the Microsoft Graph PowerShell SDK with the required permission and running the Invoke-MgGraphRequest cmdlet to fetch the set of tenant-wide settings supported by the API:
Connect-MgGraph -Scopes SharePointTenantSettings.ReadWrite.All $Uri = "https://graph.microsoft.com/v1.0/admin/sharepoint/settings" Invoke-MgGraphRequest -Uri $Uri Name Value ---- ----- imageTaggingOption basic isUnmanagedSyncAppForTenant... False isMacSyncAppEnabled True isRequireAcceptingUserToMat... True isSharePointMobileNotificat... True idleSessionSignOut {isEnabled, warnAfterInSeconds, signOutAfterInSeconds} sharingBlockedDomainList {Gmail.com} personalSiteDefaultStorageL... 5242880 isCommentingOnSitePagesEnabled True isSiteCreationEnabled True excludedFileExtensionsForSy... {*.exe, *.zip, *.rar, *.pst...} @odata.context https://graph.microsoft.com/v1.0/$metadata#admin/sharepoint/settings/$entity isFileActivityNotificationE... True isSyncButtonHiddenOnPersona... False isSharePointNewsfeedEnabled False sharingCapability externalUserAndGuestSharing sharingAllowedDomainList {hotmail.com, live.com, locklan.com.au, Microsoft.com...} availableManagedPathsForSit... {/sites/, /teams/} isResharingByExternalUsersE... False siteCreationDefaultManagedPath /sites/ deletedUserPersonalSiteRete... 60 allowedDomainGuidsForSyncApp {} isSiteCreationUIEnabled True isLegacyAuthProtocolsEnabled True siteCreationDefaultStorageL... 26214400 isSitesStorageLimitAutomatic True isSitePagesCreationEnabled False sharingDomainRestrictionMode none tenantDefaultTimezone (UTC) Dublin, Edinburgh, Lisbon, London isLoopEnabled True
The other option for SharePoint tenant settings is to update one of the supported settings. For example, here’s how to update the isLoopEnabled setting (required to allow Teams to use Loop components) by specifying the new value in a hash table and running a PATCH update against the API:
Invoke-mggraphrequest -uri $uri $Settings = @{ "isLoopEnabled" = $false } Invoke-mggraphrequest -uri $uri -Method PATCH -Body $Settings
The API responds by listing the new settings.
Next Step Exchange?
Now that SharePoint Online has started to support a Graph API for tenant-wide settings, perhaps the next step is for Microsoft to create a Graph API for Exchange Online tenant-wide settings. The focus for automation in the Exchange development group has been twofold:
- Move away from Exchange Web Services (EWS). Microsoft deprecated 25 EWS APIs on March 31, 2022. Given the strategic direction to embrace Graph APIs whenever possible and move away from “legacy” APIs, it seems logical that Microsoft will terminate support for EWS in the future.
- Move PowerShell away from basic authentication and Remote PowerShell sessions. The process is well underway and will complete later this year.
The big issue for developers is that the Graph/PowerShell combination can still not do everything that’s possible in EWS. To move, developers need comparable functionality, especially in terms of an API to perform management operations. These aren’t as important in the cloud because Microsoft takes care of server management, but configuration of Exchange Online tenant settings is definitely desirable.
Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.
Is it still possible to access SharePoint online module in PowerShell using basic Auth i.e, using username and password
Have you tried before asking?