List permissions on a DriveItem

Important: APIs under the /beta version in Microsoft Graph are in preview and are subject to change. Use of these APIs in production applications is not supported.

List the effective permissions of on a DriveItem.

The permissions relationship of DriveItem cannot be expanded as part of a call to get DriveItem or a collection of DriveItems. You must access the permissions property directly.

Access to permissions

The permissions collection includes potentially sensitive information and may not be available for every caller.

  • For the owner of the item, all permissions will be returned. This includes co-owners.
  • For a non-owner caller, only the permissions that apply to the caller are returned.
  • Permission properties that contain secrets (e.g. shareId and webUrl) are only returned for callers that are able to create the Permission.


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Files.Read, Files.ReadWrite, Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All
Delegated (personal Microsoft account) Files.Read, Files.ReadWrite, Files.Read.All, Files.ReadWrite.All
Application Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All

HTTP request

GET /me/drive/items/{item-id}/permissions
GET /me/drive/root:/{path}:/permissions
GET /drives/{drive-id}/items/{item-id}/permissions
GET /groups/{group-id}/drive/items/{item-id}/permissions

Request headers

Name Type Description
if-none-match string If this request header is included and the etag provided matches the current etag on the item, an HTTP 304 Not Modified response is returned.

Optional query parameters

This method supports the $expand, $select, $skipToken, $top, and $orderby OData query parameters to customize the response.

Request body

Do not supply a request body for this method.


If successful, this method returns a 200 OK response code and collection of Permission resources in the response body.

Effective permissions of an item can come from two sources:

  • Permissions applied directly on the item itself
  • Permissions inherited from the item's ancestors

Callers can differentiate if the permission is inherited or not by checking the inheritedFrom property. This property is an itemReference resource referencing the ancestor that the permission is inherited from.



Here is an example of the request.


Here is an example of the response.

HTTP/1.1 200 OK
Content-Type: application/json

  "value": [
      "id": "1",
      "roles": ["write"],
      "link": {
        "webUrl": "!70859&authkey=!AL7N1QAfSWcjNU8&ithint=folder%2cgif",
        "type": "edit"
      "id": "2",
      "roles": ["write"],
      "grantedTo": {
        "user": {
          "id": "5D33DD65C6932946",
          "displayName": "John Doe"
      "inheritedFrom": {
        "driveId": "1234567890ABD",
        "id": "1234567890ABC!123",
        "path": "/drive/root:/Documents" }
      "id": "3",
      "roles": ["write"],
      "link": {
        "webUrl": "!70859&authkey=!AL7N1QAfSWcjNU8&ithint=folder%2cgif",
        "type": "edit",
        "application": {
          "id": "12345",
          "displayName": "TimeTravelPlus"

See Get permission for more details about retrieving a single permission resource.