Forum Discussion

idoron_varonis's avatar
idoron_varonis
Copper Contributor
Dec 16, 2024

Retrieving information about the SiteUserInfoList using REST API results in a 403 error

I tried to send the following GET request, authenticated as an administrator:

https://<tenant-domain>.sharepoint.com/<site_path>/_api/web/lists?$select=Author,BaseTemplate,BaseType,Created,DefaultViewUrl,Id,LastItemModifiedDate,Title,DefaultView/ServerRelativeUrl,HasUniqueRoleAssignments,RootFolder/ServerRelativeUrl,RoleAssignments/Member/Id,RoleAssignments/Member/LoginName,RoleAssignments/RoleDefinitionBindings&$expand=Author,DefaultView,RootFolder,RoleAssignments/Member,RoleAssignments/RoleDefinitionBindings

 

I got a 403 status code, with the error: "Due to organizational policies, you can't access this resource."

 

To investigate the source of the problem, I tested the following request, which returned a valid output:

https://<tenant-domain>.sharepoint.com/<site_path>/_api/web/lists

 

I then iterated over the lists in the response, and for each such list I sent a request to get its data. All the requests returned a valid response, except one: SiteUserInfoList. When I tried to get information about this list, I got the same error mentioned above.

 

I Googled it up and discovered this is a hidden list, maintained by SharePoint to store and manage user information profiles for authenticated users at the site collection level.

 

I have a few questions:

  1. As administrator, does it make sense that I am forbidden from retrieving information about the SiteUserInfoList?
  2. Was the SiteUserInfoList always part of the lists shown in the _api/web/lists response? Or was it added recently?
  3. Is there a workaround I can apply to make this request work?
    https://<tenant-domain>.sharepoint.com/<site_path>/_api/web/lists?$select=Author,BaseTemplate,BaseType,Created,DefaultViewUrl,Id,LastItemModifiedDate,Title,DefaultView/ServerRelativeUrl,HasUniqueRoleAssignments,RootFolder/ServerRelativeUrl,RoleAssignments/Member/Id,RoleAssignments/Member/LoginName,RoleAssignments/RoleDefinitionBindings&$expand=Author,DefaultView,RootFolder,RoleAssignments/Member,RoleAssignments/RoleDefinitionBindings
  • idoron_varonis's avatar
    idoron_varonis
    Copper Contributor

    I want to add another detail.

    If I send the request using a registered application Bearer token, it fails with 403. (The application is granted all the permissions related to SharePoint).

    However, if I log in from the browser, using the tenant administrator, I am able to send the request from the browser and get a valid response.

    How could it be?

    • michalkornet's avatar
      michalkornet
      Iron Contributor

      hi idoron_varonis  , Regarding your questions, I have an idea for point #3. Could you check if the request works when you add a filter statement? _api/web/lists?$filter=Title ne 'User Information List'

Resources