File Search Limitations with Microsoft Graph and Sites.Selected Permission
An Azure Entra ID application is configured with the Sites.Selected application permission. Using the CLI command:
Grant-PnPAzureADAppSitePermission -AppId "{clientId}" -DisplayName "{name}" -Permissions FullControl -Site "{siteUrl}"
the application has been granted FullControl access to a specific SharePoint site. The application runs in app-only mode using the client credentials flow, and can successfully list and traverse all folders and files within the granted site. However, when attempting to search for documents in that site or its drives using the POST /search/query endpoint, the request consistently returns 401 Unauthorized.
It has been observed that granting the application Files.Read.All temporarily allows the search query to work. However, due to security reasons, there is a need to limit the application to Sites.Selected without using tenant-wide access. Despite having FullControl granted via CLI, the /search/query call still fails.
Is there support for /search/query with Sites.Selected in app-only mode, and what alternatives exist for searching within the granted site scope?