Share via

Copy Sharepoint files using ADF and Graph Api Site.Selected

Arundhati Sen 151 Reputation points
2023-02-16T13:51:18.8233333+00:00

I am trying to fetch files from Sharepoint location and load it in Azure Sql Database using ADF. I am trying to use Graog API site.Selected and Managed Identity permission to create the authentication.

I am trying to avoid the ACL approach where we have to generate Bearer token to establish connection. I am able to load data using this approach.

I am following this blog https://pivotalbi.com/copy-files-from-sharepoint-online-using-azure-data-factory-and-the-microsoft-graph-api/

The challenge I am facing is: while trying to give read access to SharePoint Online via the Graph API getting error

powershell code executed:

Connect-AzureAD

$ObjectId = "a507ffa0-3a98-4d16-870a-a82e6a3abbe0"

$graphScope = "Sites.Selected"

$ManagedIdentity = Get-AzureADServicePrincipal -ObjectId $ObjectId

$GraphAPI = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"

$GraphAPI

$SitesSelected = $GraphAPI.AppRoles | where Value -like $graphScope

New-AzureADServiceAppRoleAssignment `

-Id $SitesSelected.Id `

-ObjectId $ManagedIdentity.ObjectId `

-PrincipalId $ManagedIdentity.ObjectId `

-ResourceId $GraphAPI.ObjectId

Error :
Error occurred while executing NewServicePrincipalAppRoleAssignment

Code: Authorization_RequestDenied

Message: Insufficient privileges to complete the operation.

HttpStatusCode: Forbidden

HttpStatusDescription: Forbidden

HttpResponseStatus: Completed

User's image

I am not sure how to solve this, Please help. There is no option to provide any permission at the Managed Identity Level as well.

@RaytheonXie_MSFT

Microsoft 365 and Office | SharePoint | For business | Windows
Microsoft Security | Microsoft Graph
0 comments
Answer accepted by question author
  1. CarlZhao-MSFT 46,406 Reputation points
    2023-02-17T09:57:17.63+00:00

    Hi @Arundhati Sen

    Are you using a user principal or service principal to connect to Azure AD?

    If you're using a user principal to connect to Azure AD, make sure your user is a tenant administrator.

    Connect-AzureAD

    If you're using an application service principal to connect to Azure AD, make sure your application has been granted AppRoleAssignment.ReadWrite.All and Application.Read.All application permissions.

    23

    Connect-AzureAD -TenantId $tenantOrDomain -ApplicationId $appId -CertificateThumbprint $thumb

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.