This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 93%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Hi
I am connecting to SharePoint admin center using command "Connect-PnPOnline" with certificate thumbprint and Client Id. In my Azure AD App, I am having the SharePoint Permission "Sites.Read.All". I am trying to get all the site collections from tenant using this PnP command "Get-PnPTenantSite". I am not able to get any data. It is showing me an Unauthorized Operation.
If i am using "Sites.Manage.All" in Azure AD App, I can able to do all operations.
Can you please explain me Why "sites.Read.All" is not enough for getting the site collection Details?
I'm not aware of any documentation that shows the permissions required to perform specific operations in the SharePoint APIs so I can only give you my opinion.
I think of it this way:
I say "roughly equivalent" above because I've come across scenarios where I was sure I'd only need Write permission but it turns out I needed Manage or I was sure I would only need Manage but it turns out I needed FullControl. I've found that determining what permissions are required sometimes comes down to trial and error.
In regards to the Get-PnPTenantSite cmdlet in PnP PowerShell, it is used to connect to the Tenant Administration site so it makes sense to me that Read or Write permission would not be sufficient.
I hope this helps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 17%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYJ%3C/text%3E%3C/svg%3E)
Hi @ABHISHEK KUMAR ,
The "Sites.Read.All" permission in Azure AD App is not enough to get all site collections from the tenant using the PnP command "Get-PnPTenantSite". This is because the "Sites.Read.All" permission only grants the application the ability to read metadata and contents of the site, but not to read the site collections themselves. To get all site collections, you need to use the "Sites.Manage.All" permission or a combination of "Sites.ReadWrite.All" and "Sites.FullControl.All" permissions.
For your reference:
Understanding Resource Specific Consent for Microsoft Graph and SharePoint Online
Getting started with the SharePoint modernization scanner
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 93%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
the "Sites.Read.All" permission only grants the application the ability to read metadata and contents of the site, but not to read the site collections themselves.
so you mean to say if i given permission "Sites.Read.All" to an 3rd party App it can read only meta data and content of site , could you please more clarify content of site means - Does this app read content of my data ? eg: i have confidential.txt on my site so does that app with "Sites.Read.All" permission can read my confidential data in data.txt or does it read only file name and can not read the content inside the file , please confirm