![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 7.000000000000001%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 54%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Thanks for reaching out to Microsoft Q&A forum support
Based on your description, I understand that you're attempting to access the /_api/web/siteusers endpoint in SharePoint Online using the REST API, authenticated via an access token generated through the client credentials flow. Despite assigning your app permissions such as Sites.AllSites.FullControl, Sites.FullControl.All, Sites.Read.All, and Sites.ReadWrite.All, you're encountering the error message: "Unsupported app-only token."
As far as I know, The SharePoint REST API endpoint /api/web/siteusers requires a token with user context, which app-only tokens (from the client credentials flow) do not provide. This is a known limitation, not a misconfiguration. Even with full site permissions, app-only tokens are not supported for this endpoint because it expects a user-bound token.
From my perspective view, I am recommending the Azure AD app-only model for secure access, confirms that certain endpoints like /siteusers remain inaccessible via app-only tokens due to their design. This limitation is consistent across tenants and documented in Microsoft Q&A and technical community discussions, you can read at the following link to get more insight.
Link references:
Sharepoint online 'Unsupported app only token.' - Stack Overflow
Granting access using SharePoint App-Only | Microsoft Learn
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link
As a forum moderator, due to licensing and capability limitations, I’m unable to provide a definitive solution for this issue. However, based on my research, here are a few workaround methods you can try to see if they help resolve the problem:
1. Use Delegated Permissions Instead of App-Only
Since the /api/web/siteusers endpoint requires user context, switching to delegated permissions allows you to authenticate on behalf of a user. This ensures the access token includes the necessary identity claims to retrieve user-specific data. This approach is compatible with the endpoint and avoids the limitations of app-only tokens.
2. Use Microsoft Graph API
Consider using Microsoft Graph as an alternative to the SharePoint REST API. Microsoft Graph supports app-only tokens for many operations and is designed to work seamlessly with Azure AD authentication.
3. Enable ACS App-Only Access for New Tenants
If app-only access is required and you're working in a newer tenant, you can enable support for ACS-based app-only authentication by running the following PowerShell command:
Connect-SPOService -Url https://<tenant>-admin.sharepoint.com
Set-SPOTenant -DisableCustomAppAuthentication $true
Link references: Azure ACS retirement in Microsoft 365 | Microsoft Learn
Hope my answer will help you
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.