Today I was facing a weird issue and I think it can be the same for others people so I decided to share this experience.

For an application which uses the Office 365 REST API (especially the SharePoint REST API), I tried to reduce the rights necessary to run (in the Microsoft Azure Portal).

The initial configuration was the following :

With this configuration, I was able to retrieve data from sites, webs, subwebs, lists, etc…

Because the application doesn’t necessary need to edit the data, I tried to remove the ‘Edit or delete items in all site collections‘ permission as you can see below.

With this new configuration, I tried to execute the following request :

https://tenant.sharepoint.com/_api/Web/Webs/

The URL above allows you to retrieve the list of subwebs from the given site.

When I execute this request, I receive the following JSON response which indicates that I’m not authorized to do this action.

{
    error =     {
        code = "-2147024891, System.UnauthorizedAccessException";
        message = "Access denied. You do not have permission to perform this action or access this resource.";
    };
}

But if I try to access https://tenant.sharepoint.com/_api/Web/ to retrieve information (title, server relative URL…) from the current site, everything works fine.

Revert the permissions to the initial configuration has solved the issue but I’m very surprised to see that it’s necessary to have ‘edit‘ permissions to be able to retrieve the list of subwebs.

Hope this will help you if you encounter the same issue  😉