Delta token does not work for tracking permission changes if user/group is added/removed

Ameya Nayak 20 Reputation points
2024-07-22T10:46:59.63+00:00

Hi team,

We are using Microsoft graph apis to track content and permission changes of files and folders in Sharepoint and one drive . The delta token works for content changes. But when we try to use the header Prefer: deltashowremovedasdeleted, deltatraversepermissiongaps, deltashowsharingchanges as mentioned in https://video2.skills-academy.com/en-us/graph/api/driveitem-delta?view=graph-rest-1.0&tabs=http#scanning-permissions-hierarchies, the delta query works as long as permissions and content is updated on a file level. As soon as a user/group is added/removed on a folder level, the delta token stops working. We see the error as mentioned in the image.
Request id - c2532be3-581c-4a98-872d-453d7183781d
Client-request-id - c2532be3-581c-4a98-872d-453d7183781d
x-ms-ags-diagnostic - {"ServerInfo":{"DataCenter":"East US","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"BL02EPF00003B0C"}}
Screenshot 2024-07-22 at 4.01.36 PM

The application used to generate token for graph APIs has application permissions of Files.Read.All and Sites.Read.All

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,771 questions
OneDrive
OneDrive
A Microsoft file hosting and synchronization service.
1,059 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,608 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AllenXu-MSFT 19,456 Reputation points Microsoft Vendor
    2024-07-23T06:41:16.0333333+00:00

    Hi @Ameya Nayak,

    The delta token does not work for tracking permission changes if a user or group is added or removed on a folder level.

    Delta query is designed to track changes in Microsoft Graph data and enables applications to discover newly created, updated, or deleted entities without performing a full read of the target resource with every request. However, changes to properties stored outside the main data store are not tracked.

    If the answer is helpful, please click "Accept as Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Dmitry Kankalovich 0 Reputation points
    2024-08-19T12:57:57.8566667+00:00

    I have a 100% exact same problem and pulling my hair out trying to solve it.

    I suspect it might be required for the token to have additionally Sites.FullControl.All as stated in documentation.

    However this is kind of scope won't be approved by our security team. And anyway it feels weird this scope is needed - given that I can directly read folder and file permissions without it.

    Anyway, @Ameya Nayak any chances you've solved it?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.