Retrieve site users via the SharePoint REST API using an access token generated through the client credentials flow.

Hi @akanksha mishra

Thank you for posting your question in Microsoft Q&A.  

We understand that you're attempting to retrieve site users via the SharePoint REST API. Although your configuration assigns your app permissions such as Sites.AllSites.FullControl, Sites.FullControl.All, Sites.Read.All, and Sites.ReadWrite.All, you're encountering the error message: "Unsupported app-only token." . We are glad to assist you this part. 

Based on my research, The SharePoint REST API endpoint "/api/web/siteusers"  will require a token with user context, which app-only tokens do not provide. This is a known limitation, not a misconfiguration. Even with full site permissions, app-only tokens are not supported for this endpoint because it expects a user-bound token. 

From my perspective view, I am recommending the Azure AD app-only model for secure access, confirms that certain endpoints like "/siteusers" remain inaccessible via app-only tokens due to their design. This limitation is consistent across tenants and documented in Microsoft Q&A and technical community discussions, you can read at the following link to get more insight.  

Link references:  

Sharepoint online 'Unsupported app only token.' - Stack Overflow    

Granting access using SharePoint App-Only | Microsoft Learn    

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link. 

As a forum moderator, we don’t have access to the detailed system needed, we're unable to provide a definitive solution for this issue. However, based on my research, here are a few workaround methods you can try to see if they help resolve your concern:  

1.Using Delegated Permissions Instead of App-Only  

Since the /api/web/siteusers endpoint requires user context, switching to delegated permissions allows you to authenticate on behalf of a user. This ensures that the access token contains the required identity claims to access user-specific data, aligning with the endpoint's requirements and overcoming the limitations of app-only tokens.  

2. Using Microsoft Graph API 

Consider using Microsoft Graph as an alternative to the SharePoint REST API. Microsoft Graph supports app-only tokens for many operations and is designed to work seamlessly with Azure AD authentication. 

3. Enable ACS App-Only Access for New Tenants  

If app-only access is required and you're working in a newer tenant, you can enable support for ACS-based app-only authentication by running the following PowerShell command:

Connect-SPOService -Url https://<tenant>-admin.sharepoint.com 

You can refer via: Azure ACS retirement in Microsoft 365 | Microsoft Learn  

If you have any additional concern, feel free to comment below. I be more than happy to assist.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".       

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.