How to authenticate a sharepoint REST api request without delegated user?

Sayak Chattopadhyay 11 Reputation points
2022-07-08T05:26:55.247+00:00

I am trying to use the sharepoint REST APIs. They require a access_token.

I already came across this Q&A: https://learn.microsoft.com/en-us/answers/questions/607425/how-do-i-get-access-token-for-sharepoint-online-re.html

But those steps require a sign-in by a user. But that won't be possible in my flow. So, I am not looking for delegated permission. So, I tried the steps shown here(access without a user): https://learn.microsoft.com/en-us/graph/auth-v2-service

But that doesn't return a refresh_token. So I am unable to complete the step, where I am supposed to exchange the refresh_token for a Sharepoint access_token.

The app I have created for this purpose in my AAD has been given the following permissions:
218774-image.png

But, none of the scopes mentioned there work for me when I try to make the POST https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/token call.
The 400 Bad request message says:
"AADSTS500011: The resource principal named https://microsoft.sharepoint-df.com/Sites.Read.All was not found in the tenant named . This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: \r\nCorrelation ID: \r\nTimestamp: 2022-07-08 05:20:57Z"

The only scope that doesn't give such a error is the "https://graph.microsoft.com/.default". But using the access_token it returns, when I try to hit the GET https://{site_url}/_api/web/GetFolderByServerRelativeUrl('/Folder Name')/Files it says 401 unauthorized (Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown)

So, in conclusion please guide me how to use the sharepoint REST APIs without the requirement of a delegated user.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,592 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,628 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
2,668 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 36,896 Reputation points
    2022-07-08T07:01:30.933+00:00

    Hi @Sayak Chattopadhyay

    First, make sure your global admin has consent to the SharePoint REST api permissions granted.
    218799-image.png
    Also, the daemon-based client credential flow doesn't return a refresh token for you and doesn't support dynamic permissions.

    218800-image.png

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    2 people found this answer helpful.