We are facing some issues with access to API "https://graph.microsoft.com/v1.0/sites/root". In one of our tenants, it is working, however at another tenant with ADFS authentication, it is not working and return the following message to us:

{
    "error": {
        "code": "unauthenticated",
        "message": "The caller is not authenticated.",
        "innerError": {
            "request-id": "fb9267cb-1901-441e-b81c-18a831787bc2",
            "date": "2017-07-05T15:14:57"
        }
    }
}

From Get a site resource documentation, the sites permissions such as Sites.Read.All or Sites.ReadWrite.All would be required. From the modify permission popup, we could see that test user has that permission:

We could run other api call successfully such as "get my profile". Any idea what could be the reason for the "unauthenticated" error? What should we check here? Any insights are great appreciated. Thanks in advance.

Thanks to MS team, it turns out that the user doesn't have access to the root site of the tenant. So it looks like that it is an legit response. Without accessing to root site, the user won't be able to query any information for that root site.