Azure app cannot access SharePoint v1 API - 401 unauthorized access error

Question

Hello! I'm running into a permissions issue when attempting to access SharePoint site data using the v1 api. I have an application registered in the Azure portal that has the SharePoint/Sites.Read.All permission granted to it. I'm using the OAuth2 flow to obtain an access token, and I've confirmed using the token decoding tool that those permission scopes are granted to the token that's returned. However, I always receive a 401 Unauthorized response from the API, and I cannot figure out where I'm going wrong with provisioning the access token.

The access token request I'm sending (I've tried client_id both with and without the @<tenant-id> included):

new Request({
    url: 'https://login.microsoftonline.com/<co-domain>/oauth2/token',
    method: 'POST',
    header: 'Content-Type: application/x-www-form-urlencoded',
    body: client_id=<client_id>@<tenant-id>
    &client_secret=<client-secret>
    &grant_type=client_credentials
    &resource=00000003-0000-0ff1-ce00-000000000000/<co-domain>.sharepoint.com@<tenant-id>
    &scope=https://<co-domain>.sharepoint.com/.default`,
})

The token returned has this value for permissions:

"roles": [
    "Sites.Read.All"
  ],

I then hit the API endpoint https://<co-domain>.sharepoint.com/sites/<site-name>/_api/web and receive this response:

{
    "error": {
        "code": "-2147024891, System.UnauthorizedAccessException",
        "message": {
            "lang": "en-US",
            "value": "Access denied. You do not have permission to perform this action or access this resource."
        }
    }
}

Can anyone help point me in the right direction as to what I'm doing wrong and how I can properly provision an access token for reading data from the v1 SharePoint API?

Also, a note: I cannot use Microsoft Graph because that api does not return the information I need (site page metadata and useful things like thumbnails and page descriptions). This data is available only in the v1 api.

Answer 1

Hi @Tempel, P ,

If you want a single SharePoint add-in have permission for all site collections, try to set AppPermissionRequests like this:

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

Set the permission in the url https://tenantname-admin.sharepoint.com/_layouts/15/appinv.aspx

Check the blog here for details:

fixed-your-tenant-administrator-has-to-approve-this-app-in-office-365

In the demo above, the AppPermissionRequests is set to:

<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />

This will only set permission for specific site collection .
While AppPermissionRequest Scope="http://sharepoint/content/tenant" will set to the whole tenant which includes all site collections.

Answer 2

Hello,

I have the same problem getting 401 unauthorized when trying to connect SharePoint Online Site using Azure AD Authentication. I have an application registered in the Azure portal that has the SharePoint/Users.ReadWrite.All permission granted to it with "Application" type and Admin Consent granted to it. While decoding token using https://jwt.io/ tool, it is showing correct permission scope.

Tried with SharePoint Add-ins approach @Jerryzy , it is working fine.

Is there any way we can figure out why authentication not working with Azure AD valid token.

@office-sharepoint-online @Azure @AzureAdAuthentication

Thank you

Answer 3

Hi @Gardner, Max ,

I suggest you can test the request with Postman firstly.

In Azure Portal "App Registrations", set redirect URIs to:

https://www.getpostman.com/oauth2/callback

Also click “Grant admin consent for Tenant":

Then select OAuth 2.0 in PostMan, pass request like this:

Auth URL : https://login.microsoftonline.com/common/oauth2/authorize?resource=https://mytenantname.sharepoint.com
Access Token URL : https://login.microsoftonline.com/common/oauth2/token
Client ID : <Application_ID>
Client Secret : <KEY>
Grant Type : Authorization Code

Click Request Token and use this token in Headers, it should be able to request as expected:

Reference:

SharePoint Online REST API Authentication In POSTMAN

---

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 4

Hi @Jerryzy-MSFT,

A colleague of Max here.

Thanks for the walkthrough. We know that the flow you used works, but it's not relevant to the authentication method used in the question. You are using the "authorization_code" flow in Postman to generate a token. This works but requires a user login. This is what we need to avoid.

We need to use the client_credentials flow. If you change the flow type in your Postman example you will still get a token, however, the request will fail with this error:

{"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}  

Answer 5

Hi @Tempel, P ,

If you are using client_credentials grant type, please register SharePoint Add-in for authentication rather than Azure App, for details, please refer the steps here:

In 4 steps access SharePoint online data using postman tool