ghost
commented
3 years ago Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
Open Litwilly opened 3 years ago
ghost
commented
3 years ago Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
michaelhan-1
commented
3 years ago Per my knowledge, creating modern sites doesn't need any permissions.
As a internal user, you could create modern sites using /_api/SPSiteManager/create
Michael Han Microsoft SharePoint Community Support
Litwilly
commented
3 years ago 
This is the response I am getting using /_api/SPSiteManager/create with an OAuth 2.0 application token that has permissions to create sharepoint subsites via the Microsoft Graph API
Litwilly
commented
3 years ago Update: I was using the following scope "https://graph.microsoft.com/.default" I updated this to "https://yourSite.sharepoint.com/.default" and am now getting:
Litwilly
commented
3 years ago This led me to an article about needing a cert for the app: azure - https://stackoverflow.com/questions/56526581/sharepoint-online-unsupported-app-only-token
After following the documentation to do that, still getting the same unsupported app only token.
michaelhan-1
commented
3 years ago You need to get the access token like this:
Grant Type : Authorization Code
Callback Url : this should be the AAD App redirect Url
Auth URL : https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2F<tenant_name>.sharepoint.com
Access Token URL : https://login.microsoftonline.com/common/oauth2/token
Client ID : <client_ID>
Client Secret : <Client-secret> 
Litwilly
commented
3 years ago So looks like your setting up the call for delegated access (user - grant type - auth code).
I'm trying to create a site with application-level access (app only - grant type - client cred).
I believe it is possible. It requires a client and cert, the issue is creating the client assertation which looks simple for C#, .Net, or PS, but I'm not really sure the feasibility through a 3rd party ie Postman (and my end goal of ServiceNow).
Regardless I was able to get it working via delegated access, however, it did require that I have Delegated SharePoint: AllSites.FullControl API permissions.
_Some of the resources that have helped me gather this conclusion: https://blog.mastykarz.nl/azure-ad-app-only-access-token-using-certificate-dotnet-core/ https://docs.microsoft.com/en-us/archive/blogs/richard_dizeregas_blog/performing-app-only-operations-on-sharepoint-online-through-azure-ad https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-Assertions https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate https://stackoverflow.com/questions/63244752/using-a-certificate-in-azure-active-directory-to-sign-and-return-an-access-token https://stackoverflow.com/questions/56526581/sharepoint-online-unsupported-app-only-token_
Litwilly
commented
3 years ago @michaelhan-1 delegated access via a service account is providing its own challenges because I'm struggling to figure out how to get a refresh token, I'm able to get an access token but it has a 1 hr expiration. Appreciate any help here!
What permissions are required for /_api/SPSiteManager/create
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.