Azure app cannot access SharePoint v1 API - 401 unauthorized access error

Gardner, Max 41 Reputation points

Hello! I'm running into a permissions issue when attempting to access SharePoint site data using the v1 api. I have an application registered in the Azure portal that has the SharePoint/Sites.Read.All permission granted to it. I'm using the OAuth2 flow to obtain an access token, and I've confirmed using the token decoding tool that those permission scopes are granted to the token that's returned. However, I always receive a 401 Unauthorized response from the API, and I cannot figure out where I'm going wrong with provisioning the access token.

The access token request I'm sending (I've tried client_id both with and without the @<tenant-id> included):

new Request({
    url: '<co-domain>/oauth2/token',
    method: 'POST',
    header: 'Content-Type: application/x-www-form-urlencoded',
    body: client_id=<client_id>@<tenant-id>

The token returned has this value for permissions:

"roles": [

I then hit the API endpoint https://<co-domain><site-name>/_api/web and receive this response:

    "error": {
        "code": "-2147024891, System.UnauthorizedAccessException",
        "message": {
            "lang": "en-US",
            "value": "Access denied. You do not have permission to perform this action or access this resource."

Can anyone help point me in the right direction as to what I'm doing wrong and how I can properly provision an access token for reading data from the v1 SharePoint API?

Also, a note: I cannot use Microsoft Graph because that api does not return the information I need (site page metadata and useful things like thumbnails and page descriptions). This data is available only in the v1 api.

A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,211 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jerryzy 10,556 Reputation points

    Hi @Tempel, P ,

    If you want a single SharePoint add-in have permission for all site collections, try to set AppPermissionRequests like this:

    <AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />

    Set the permission in the url

    Check the blog here for details:


    In the demo above, the AppPermissionRequests is set to:

    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />

    This will only set permission for specific site collection .
    While AppPermissionRequest Scope="http://sharepoint/content/tenant" will set to the whole tenant which includes all site collections.

    1 person found this answer helpful.

7 additional answers

Sort by: Most helpful
  1. Nikita Motwani 11 Reputation points


    I have the same problem getting 401 unauthorized when trying to connect SharePoint Online Site using Azure AD Authentication. I have an application registered in the Azure portal that has the SharePoint/Users.ReadWrite.All permission granted to it with "Application" type and Admin Consent granted to it. While decoding token using tool, it is showing correct permission scope.
    Tried with SharePoint Add-ins approach @Jerryzy , it is working fine.

    Is there any way we can figure out why authentication not working with Azure AD valid token.

    @office-sharepoint-online @Azure @AzureAdAuthentication

    Thank you

    2 people found this answer helpful.
    0 comments No comments

  2. Jerryzy 10,556 Reputation points

    Hi @Gardner, Max ,

    I suggest you can test the request with Postman firstly.

    In Azure Portal "App Registrations", set redirect URIs to:


    Also click “Grant admin consent for Tenant":


    Then select OAuth 2.0 in PostMan, pass request like this:

    Auth URL :
    Access Token URL :
    Client ID : <Application_ID>
    Client Secret : <KEY>
    Grant Type : Authorization Code


    Click Request Token and use this token in Headers, it should be able to request as expected:



    SharePoint Online REST API Authentication In POSTMAN

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. Tempel, P 1 Reputation point

    Hi @Jerryzy-MSFT,

    A colleague of Max here.

    Thanks for the walkthrough. We know that the flow you used works, but it's not relevant to the authentication method used in the question. You are using the "authorization_code" flow in Postman to generate a token. This works but requires a user login. This is what we need to avoid.

    We need to use the client_credentials flow. If you change the flow type in your Postman example you will still get a token, however, the request will fail with this error:

    {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}  



    0 comments No comments

  4. Jerryzy 10,556 Reputation points

    Hi @Tempel, P ,

    If you are using client_credentials grant type, please register SharePoint Add-in for authentication rather than Azure App, for details, please refer the steps here:

    In 4 steps access SharePoint online data using postman tool