Azure app cannot access SharePoint v1 API - 401 unauthorized access error

Gardner, Max 41 Reputation points
2020-10-19T20:26:31.103+00:00

Hello! I'm running into a permissions issue when attempting to access SharePoint site data using the v1 api. I have an application registered in the Azure portal that has the SharePoint/Sites.Read.All permission granted to it. I'm using the OAuth2 flow to obtain an access token, and I've confirmed using the token decoding tool that those permission scopes are granted to the token that's returned. However, I always receive a 401 Unauthorized response from the API, and I cannot figure out where I'm going wrong with provisioning the access token.

The access token request I'm sending (I've tried client_id both with and without the @<tenant-id> included):

new Request({
    url: 'https://login.microsoftonline.com/<co-domain>/oauth2/token',
    method: 'POST',
    header: 'Content-Type: application/x-www-form-urlencoded',
    body: client_id=<client_id>@<tenant-id>
    &client_secret=<client-secret>
    &grant_type=client_credentials
    &resource=00000003-0000-0ff1-ce00-000000000000/<co-domain>.sharepoint.com@<tenant-id>
    &scope=https://<co-domain>.sharepoint.com/.default`,
})

The token returned has this value for permissions:

"roles": [
    "Sites.Read.All"
  ],

I then hit the API endpoint https://<co-domain>.sharepoint.com/sites/<site-name>/_api/web and receive this response:

{
    "error": {
        "code": "-2147024891, System.UnauthorizedAccessException",
        "message": {
            "lang": "en-US",
            "value": "Access denied. You do not have permission to perform this action or access this resource."
        }
    }
}

Can anyone help point me in the right direction as to what I'm doing wrong and how I can properly provision an access token for reading data from the v1 SharePoint API?

Also, a note: I cannot use Microsoft Graph because that api does not return the information I need (site page metadata and useful things like thumbnails and page descriptions). This data is available only in the v1 api.

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,211 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jerryzy 10,556 Reputation points
    2020-10-20T09:23:04.64+00:00

    Hi @Tempel, P ,

    If you want a single SharePoint add-in have permission for all site collections, try to set AppPermissionRequests like this:

    <AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
    </AppPermissionRequests>

    Set the permission in the url https://tenantname-admin.sharepoint.com/_layouts/15/appinv.aspx

    Check the blog here for details:

    fixed-your-tenant-administrator-has-to-approve-this-app-in-office-365

    In the demo above, the AppPermissionRequests is set to:

    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />

    This will only set permission for specific site collection .
    While AppPermissionRequest Scope="http://sharepoint/content/tenant" will set to the whole tenant which includes all site collections.

    1 person found this answer helpful.

7 additional answers

Sort by: Most helpful
  1. Nikita Motwani 11 Reputation points
    2021-05-31T09:46:19.957+00:00

    Hello,

    I have the same problem getting 401 unauthorized when trying to connect SharePoint Online Site using Azure AD Authentication. I have an application registered in the Azure portal that has the SharePoint/Users.ReadWrite.All permission granted to it with "Application" type and Admin Consent granted to it. While decoding token using https://jwt.io/ tool, it is showing correct permission scope.
    101045-sharepointapipermission.png
    Tried with SharePoint Add-ins approach @Jerryzy , it is working fine.

    Is there any way we can figure out why authentication not working with Azure AD valid token.

    @office-sharepoint-online @Azure @AzureAdAuthentication

    Thank you

    2 people found this answer helpful.
    0 comments No comments

  2. Jerryzy 10,556 Reputation points
    2020-10-20T06:48:20.457+00:00

    Hi @Gardner, Max ,

    I suggest you can test the request with Postman firstly.

    In Azure Portal "App Registrations", set redirect URIs to:

    https://www.getpostman.com/oauth2/callback

    33488-snipaste-2020-10-20-14-38-06.png

    Also click “Grant admin consent for Tenant":

    33489-snipaste-2020-10-20-14-53-21.png

    Then select OAuth 2.0 in PostMan, pass request like this:

    Auth URL : https://login.microsoftonline.com/common/oauth2/authorize?resource=https://mytenantname.sharepoint.com
    Access Token URL : https://login.microsoftonline.com/common/oauth2/token
    Client ID : <Application_ID>
    Client Secret : <KEY>
    Grant Type : Authorization Code

    33533-snipaste-2020-10-20-14-43-34.png

    Click Request Token and use this token in Headers, it should be able to request as expected:

    33410-snipaste-2020-10-20-14-45-53.png

    Reference:

    SharePoint Online REST API Authentication In POSTMAN


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. Tempel, P 1 Reputation point
    2020-10-20T07:55:23.147+00:00

    Hi @Jerryzy-MSFT,

    A colleague of Max here.

    Thanks for the walkthrough. We know that the flow you used works, but it's not relevant to the authentication method used in the question. You are using the "authorization_code" flow in Postman to generate a token. This works but requires a user login. This is what we need to avoid.

    We need to use the client_credentials flow. If you change the flow type in your Postman example you will still get a token, however, the request will fail with this error:

    {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}  
    

    33611-screenshot-2020-10-20-at-095020.png

    33602-screenshot-2020-10-20-at-095226.png

    0 comments No comments

  4. Jerryzy 10,556 Reputation points
    2020-10-20T08:17:23.383+00:00

    Hi @Tempel, P ,

    If you are using client_credentials grant type, please register SharePoint Add-in for authentication rather than Azure App, for details, please refer the steps here:

    In 4 steps access SharePoint online data using postman tool