Microsoft Graph vs SharePoint (CSOM / SharePoint REST): What you can (and can’t) change — an exhaustive guide

When you automate SharePoint Online, you usually end up choosing between:

• Microsoft Graph (unified Microsoft 365 API)
• SharePoint-native APIs: CSOM (Microsoft.SharePoint.Client) and/or SharePoint REST (/_api/...)

They overlap heavily for “content CRUD”, but they are not equivalent in surface area, permission model details, and “SharePoint-specific” operations.

1) The simplest mental model

Microsoft Graph

Graph’s SharePoint API focuses on “core” SharePoint scenarios:

• Sites, Lists, Drives (document libraries)
• Read/write on lists, listItems, driveItems
• Some tenant-level SharePoint settings
• No direct “create site” in the SharePoint API (you typically create M365 Group/Team to provision a site instead) (Microsoft Learn)

SharePoint CSOM / SharePoint REST

SharePoint REST is essentially the HTTP surface for the client object model, and Microsoft docs describe it as exposing SharePoint entities/operations available in other SharePoint client APIs. (Microsoft Learn)
CSOM is the .NET client library object model with ClientContext, Web, List, ListItem, etc. (Microsoft Learn)

2) “What can I alter?” — capability comparison by area

A) Sites (structure, creation, settings)

Graph (SharePoint API)

• Read site metadata, navigate site resources
• No direct site creation via the SharePoint API surface (Microsoft Learn)
• You can still “create a site indirectly” by creating a Microsoft 365 Group (which provisions a group-connected site), but that’s not the same as “SharePoint create site” controls and templates.

SharePoint CSOM/REST

• Much broader site manipulation: lists, fields, content types, navigation, features/settings (depending on what SharePoint Online allows)
• Many administrative/site-configuration operations are simply more complete in SharePoint-native APIs than Graph in real-world engineering projects.

Rule of thumb: if you are doing SharePoint provisioning/configuration beyond basic lists/files, SharePoint-native APIs are usually the more capable option.

B) Lists, columns, and list items (CRUD)

Graph

• Strong support for list CRUD and item CRUD (especially common “business app” operations)
• Great when you also need users/groups/teams/mail from the same API in the same solution.

SharePoint CSOM/REST

• Complete list schema and item manipulation patterns and a lot of “SharePoint-isms” (fields, content types, OData, CAML via CSOM, etc.)
• REST is explicitly positioned as a way to do CRUD and broader operations using OData semantics. (Microsoft Learn)

Practical difference: Graph is often easier for “app-style CRUD”, while CSOM/REST is often more powerful for “SharePoint-style customization”.

C) Files and document libraries

Graph

• Excellent for files via drive / driveItem semantics (OneDrive + SharePoint libraries share the model)
• Good sharing/permissions APIs for items (e.g., list permissions on a driveItem). (Microsoft Learn)

SharePoint REST

• Very powerful for “SharePoint library” scenarios (folders, files, metadata updates, check-in/out, etc.) and classic patterns.
• Microsoft provides REST guidance for files/folders, batching, etc. (Microsoft Learn)

D) Permissions and “least privilege”: Sites.Selected

This is where many people get confused because Graph and SharePoint both have a concept called Sites.Selected, but the mechanics differ.

Graph Sites.Selected

• You consent Sites.Selected in Entra ID (Microsoft Graph → Application permission).
• Then you must assign access to a site by creating a site permission grant (Graph “selected permissions” pattern). Selected permissions require explicit assignment or the app has no access. (Microsoft Learn)

SharePoint Sites.Selected (SharePoint resource permission)

• You consent Sites.Selected in Entra ID (SharePoint → Application permission).
• Then you typically grant site permission using PnP PowerShell cmdlets like Grant-PnPAzureADAppSitePermission, which explicitly states it is used together with SharePoint Sites.Selected. (pnp.github.io)

Big takeaway: Sites.Selected is not “access”. It is a framework for granting access per site. Until you grant the site permission, the app is effectively blocked. (Microsoft Learn)

E) Search

• SharePoint has a dedicated Search REST service with its own capabilities (KQL/FQL). (Microsoft Learn)
• Graph also has search endpoints, but SharePoint Search REST is still a distinct toolset for certain SharePoint search patterns.

3) Authentication differences (what changes in your app)

Graph tokens

• Resource: https://graph.microsoft.com/
• Typical app-only scope: https://graph.microsoft.com/.default

SharePoint CSOM/REST tokens (Entra app-only)

• Resource: your tenant host, like https://contoso.sharepoint.com/
• Typical app-only scope: https://contoso.sharepoint.com/.default

Why your SharePoint CSOM/REST app used a certificate

Microsoft’s SharePoint guidance for Entra ID app-only highlights using a certificate for app-only access to SharePoint CSOM/REST. (Microsoft Learn)

That lines up with what you observed: Graph may accept client secret flows broadly, but SharePoint-native app-only commonly uses certificate-based auth in practice.

4) Decision matrix: which one should you choose?

Use Microsoft Graph when:

• You need SharePoint plus other M365 services (Users, Groups, Teams, Mail) in one integration.
• Your needs are mostly files, list CRUD, and standard sharing patterns.
• You want unified identity/permissions model and consistent API patterns across services. (Microsoft Learn)

Use SharePoint CSOM/REST when:

• You need deeper SharePoint capabilities: advanced site/list schema work, SharePoint-specific behaviors, legacy patterns, or advanced configuration.
• You’re already using CSOM and the workload is “SharePoint-native automation”.
• You need maximum coverage of SharePoint operations (and you accept SharePoint’s API style). (Microsoft Learn)

5) A practical “what can I alter” table

6) Documentation links (official + essential)

Below are direct links you can keep in your article/reference section.

Microsoft Graph – SharePoint API overview:
https://learn.microsoft.com/en-us/graph/api/resources/sharepoint?view=graph-rest-1.0

Microsoft Graph – Permissions reference:
https://learn.microsoft.com/en-us/graph/permissions-reference

Microsoft Graph – Selected permissions overview (Selected scopes concept):
https://learn.microsoft.com/en-us/graph/permissions-selected-overview

SharePoint – Understanding Resource Specific Consent (RSC) for Graph and SharePoint:
https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins-modernize/understanding-rsc-for-msgraph-and-sharepoint-online

SharePoint – Granting access via Entra ID app-only (certificate-based app-only guidance):
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

PnP PowerShell – Grant-PnPAzureADAppSitePermission (SharePoint Sites.Selected site grant):
https://pnp.github.io/powershell/cmdlets/Grant-PnPAzureADAppSitePermission.html

SharePoint – Get to know the SharePoint REST service:
https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service

SharePoint – Complete basic operations using SharePoint REST endpoints:
https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/complete-basic-operations-using-sharepoint-rest-endpoints

SharePoint – Search REST API overview:
https://learn.microsoft.com/en-us/sharepoint/dev/general-development/sharepoint-search-rest-api-overview

CSOM – ClientContext (.NET API reference):
https://learn.microsoft.com/en-us/dotnet/api/microsoft.sharepoint.client.clientcontext?view=sharepoint-csom

Summary tables

Steps summary (how to decide)

Technical summary