SharePoint Online - Detect Permission-Only Changes Incrementally

jaya krishna gonuguntla 20 Reputation points
2026-07-02T08:50:28.5933333+00:00

Hi,

We're using the Microsoft Graph DriveItem Delta API for incremental SharePoint extraction. It works well for content changes, but we're unable to identify permission-only changes.

Scenario:

  • No file/folder/page/site/list changes.

No metadata changes.

  • Only permissions are added, removed or modified.

Constraints:

No Microsoft 365 Audit Logs.

No Graph Webhooks/Change Notifications.

Need a scalable solution with minimal API calls.

Is there any Microsoft Graph or SharePoint API that can detect permission-only changes incrementally? If not, what is the Microsoft-recommended approach for efficiently synchronizing permission changes without performing a full permission scan every run?

Thanks,

Microsoft 365 and Office | SharePoint | Development
0 comments No comments

Answer accepted by question author

Michelle-N 18,855 Reputation points Microsoft External Staff Moderator
2026-07-02T09:44:44.1833333+00:00

Hi @jaya krishna gonuguntla

Based on your description, I understand that you are using the Microsoft Graph DriveItem Delta API for incremental SharePoint content synchronization. While it effectively catches content and metadata modifications, it is currently missing permission-only changes (where users/permissions are added, modified, or removed, but the underlying file or metadata remains unchanged). Given your constraints: no Audit Logs and no Webhooks/Change Notifications, you need a scalable solution that minimizes API surface calls.

By default, a standard Microsoft Graph delta query does not surface permission-only changes. However, Microsoft Graph natively supports tracking incremental permission modifications through specific Prefer headers.

When configured correctly, items that experience a standalone permission change will be surfaced in the delta feed containing a specific annotation flag: "@microsoft.graph.sharedChanged": "True".

To catch these changes incrementally, you must pass the deltashowsharingchanges preference flag. For a production-ready, robust extraction pipeline, Microsoft recommends combining it with other traversal headers.

GET https://graph.microsoft.com/v1.0/sites/{site-id}/drive/root/delta
Prefer: deltashowsharingchanges, deltashowremovedasdeleted, deltatraversepermissiongaps, hierarchicalsharing

Breakdown of the key Prefer headers:

deltashowsharingchanges: Instructs the delta engine to surface items that only had sharing/permission changes. Look out for "@microsoft.graph.sharedChanged": "True" on returned items.

deltatraversepermissiongaps: Ensures that if a user loses or gains access due to a permission change on a parent folder, the engine correctly traverses downstream items affected by that shift.

hierarchicalsharing: Strongly recommended for scalability. It helps the delta token optimize the scope of what is returned, filtering sharing information mostly at inheritance boundaries or true point-of-change origins, preventing your token from bloating with redundant item listings.

To achieve your goal without scanning the entire SharePoint site permissions array every run, you should adapt your architecture to the following sync loop:

  1. For scalable permission synchronization, the recommended pattern is:
  2. Run the initial driveItem/delta crawl and store the returned @odata.deltaLink.
  3. On each subsequent run, call the stored @odata.deltaLink with the required Prefer headers.
  4. Check returned items for @microsoft.graph.sharedChanged.
  5. Only for those changed items, call the permissions endpoint: GET /drives/{drive-id}/items/{item-id}/permissions
  6. The permissions endpoint returns the effective sharing permissions for a DriveItem, and permissions can be either directly applied on the item or inherited from ancestors; inherited permissions can be identified through the inheritedFrom property.
  7. To reduce unnecessary permission calls across inherited hierarchies, you can also use: Prefer: hierarchicalsharing

This makes delta return sharing information for the root of the permission hierarchy and for items that explicitly have sharing changes, instead of requiring follow-up permission calls for every item in the hierarchy.

Important note: if you need to process permissions correctly at scale, the Graph delta documentation states that the application needs Sites.FullControl.All permission. Also, the permissions relationship cannot be expanded directly as part of a DriveItem collection response; it must be accessed through the /permissions endpoint.

Please refer the following document:

List sharing permissions on a driveItem

driveItem: delta

I hope this information help.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click ""Comment"".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Was this answer helpful?

1 person found this answer helpful.
0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.