Azure app cannot access SharePoint v1 API - 401 unauthorized access error

Question

Hello! I'm running into a permissions issue when attempting to access SharePoint site data using the v1 api. I have an application registered in the Azure portal that has the SharePoint/Sites.Read.All permission granted to it. I'm using the OAuth2 flow to obtain an access token, and I've confirmed using the token decoding tool that those permission scopes are granted to the token that's returned. However, I always receive a 401 Unauthorized response from the API, and I cannot figure out where I'm going wrong with provisioning the access token.

The access token request I'm sending (I've tried client_id both with and without the @<tenant-id> included):

new Request({
    url: 'https://login.microsoftonline.com/<co-domain>/oauth2/token',
    method: 'POST',
    header: 'Content-Type: application/x-www-form-urlencoded',
    body: client_id=<client_id>@<tenant-id>
    &client_secret=<client-secret>
    &grant_type=client_credentials
    &resource=00000003-0000-0ff1-ce00-000000000000/<co-domain>.sharepoint.com@<tenant-id>
    &scope=https://<co-domain>.sharepoint.com/.default`,
})

The token returned has this value for permissions:

"roles": [
    "Sites.Read.All"
  ],

I then hit the API endpoint https://<co-domain>.sharepoint.com/sites/<site-name>/_api/web and receive this response:

{
    "error": {
        "code": "-2147024891, System.UnauthorizedAccessException",
        "message": {
            "lang": "en-US",
            "value": "Access denied. You do not have permission to perform this action or access this resource."
        }
    }
}

Can anyone help point me in the right direction as to what I'm doing wrong and how I can properly provision an access token for reading data from the v1 SharePoint API?

Also, a note: I cannot use Microsoft Graph because that api does not return the information I need (site page metadata and useful things like thumbnails and page descriptions). This data is available only in the v1 api.

Answer 1

Hi @Tempel, P ,

If you want a single SharePoint add-in have permission for all site collections, try to set AppPermissionRequests like this:

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

Set the permission in the url https://tenantname-admin.sharepoint.com/_layouts/15/appinv.aspx

Check the blog here for details:

fixed-your-tenant-administrator-has-to-approve-this-app-in-office-365

In the demo above, the AppPermissionRequests is set to:

<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />

This will only set permission for specific site collection .
While AppPermissionRequest Scope="http://sharepoint/content/tenant" will set to the whole tenant which includes all site collections.

Answer 2

Good morning all ,
I need your help
I tried to upload files to a SharePoint online site via an application

Protocol Commands: >>POST https://xxxxxx.sharepoint.com/sites/Transfert_secure/Documents/_api/web/GetFolderByServerRelativeUrl('/sites/Transfert_secure/Documents/Targetfolder')/Files/Add(url='file.txt',overwrite=true) HTTP/1.1

<<HTTP/1.1 401 Unauthorized

I believe that the site should be granted permission through the AD application but I don't know how I could do it ?

Thank you

Answer 3

Hello,
Attached are the permissions of the Microsoft AD application

Thank you

Answer 4

Hi

"Based on my experience"

generated token based on "Client Secret" are supported by the Graph API but NOT by SPO REST API, only token based on certificates are supported.