How to use sharepoint rest api with azure ad app creds?

Question

How to use sharepoint rest api with azure ad app creds?

Yichen Name 86

I have created an app on azure portal and tried to create access token with this :
https://login.microsoftonline.com/{tenant-id}/oauth2/token
But when I am hitting SharePoint rest api's I am getting below error:

{"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}

Accepted answer

1 additional answer

Your answer

Answer 1

Rob Windsor 2,001

The steps included in the post linked by @Tong Zhang_MSFT register the application with Azure ACS (via appregnew.aspx), not with Azure AD.

Granting access via Azure AD App-Only covers how to register an app with app-only permissions in Azure AD and how to use that app to interact with SharePoint using PnP PowerShell and the SharePoint PnP Sites Core library. Unfortunately, this resource doesn't cover how to use the app with the "plain" REST API. The basic steps to do this would be to use the Microsoft Authentication Library (MSAL) library to get an access token and then make REST API calls with that token included in the headers of the request.

One important thing to note, you cannot use Client ID and Client Secret for authentication when authenticating with the REST API or CSOM using an app registered in Azure AD. You have to use Client ID and a certificate. How to register the app to use Client ID and a certificate is shown in the article I linked.

Yichen Name 86 Reputation points

2022-09-14T10:15:10.097+00:00

Hi @Rob Windsor , Do you have any steps to create access token via postman ?

I found a document which talks about creating certificate, I created that and uploaded on azure certificate and checked the manifest it was showing the data in json. But I am not getting how I will create access token, what should be my headers in postman.
Rob Windsor 2,001 Reputation points

2022-09-14T10:53:19.83+00:00

I don't use Postman so I don't have any first-hand experience. I was able to find this blog post, Testing client certificate authentication to Azure API Management with Postman, maybe it will help.
FNU LNU 20 Reputation points

2023-09-27T15:39:20.3966667+00:00

One important thing to note, you cannot use Client ID and Client Secret for authentication when authenticating with the REST API or CSOM using an app registered in Azure AD.

Wow, that's a bummer. Unlucky that no documentation ever says that... On the contrary, https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service?tabs=http says that you can pass something called accessToken along with Rest call and get the data..

Does it mean that it's not the access token from /oauth2/token call? What's that then?
FNU LNU 20 Reputation points

2023-09-27T17:33:37.27+00:00

Apparently the code from https://learn.microsoft.com/en-us/answers/questions/1063462/generate-bearer-token-active-directory-certificate?page=1&orderby=Helpful&comment=answer-1064918#newest-answer-comment allowed to transform certificate into JWT token and get the data using Rest!
Sesha 0 Reputation points

2024-03-12T09:34:22.3666667+00:00

Hi @Yichen Name I'm currently encountering a similar scenario. Are you suggesting that the only method to access SharePoint REST APIs is by creating a certificate and utilizing it to generate the token? Can you provide some additional insight regarding the method that resolved the issue?

Answer 2

Tong Zhang_MSFT 9,251

Hi @Yichen Name ,

Do you want to generate access token? If yes, according to my research and testing, you can achieve it by following the steps in the following document:

https://global-sharepoint.com/sharepoint-online/in-4-steps-access-sharepoint-online-data-using-postman-tool/

My test result:

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Yichen Name 86 Reputation points

2022-09-13T04:20:00.06+00:00

Hi @Tong Zhang_MSFT This is the app-only way but I wanted to create a access token with the credentials which I got from azure application.
Tong Zhang_MSFT 9,251 Reputation points

2022-09-13T09:49:52.387+00:00

Hi @Yichen Name ,

According to your description, my understanding is : you can create access token successfully, however, when you use the REST API, you get the error. If my understanding is incorrect, please contact me in time.

To help you better, can you share what APIs you are using? So that I can reproduce the problem.

Here are some similar issues for reference:
https://stackoverflow.com/questions/57297510/error-descriptionexception-of-type-microsoft-identitymodel-tokens-audienceu
https://social.msdn.microsoft.com/Forums/en-US/4a8dedae-560a-4bd6-a5e8-176c0aff76f0/microsoftidentitymodeltokensaudienceurivalidationfailedexception?forum=azurelogicapps

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
Yichen Name 86 Reputation points

2022-09-16T11:19:29.893+00:00

Hi @Tong Zhang_MSFT
I am trying to use sharepoint rest api's :
https://{domain}/sites/{siteName}/_api/web/Lists
like https://test.sharepoint.com/sites/Test_Site/_api/web/Lists
mcx 0 Reputation points

2023-11-20T12:25:56.2733333+00:00

here's a decent guide on how you can do app-only authentication in SharePointOnline using the REST API: https://debajmecrm.com/how-to-connect-to-sharepoint-search-api-using-certificate-authentication/

Share via

How to use sharepoint rest api with azure ad app creds?

1 additional answer

Your answer