Share via

Issue with Graph API /admin/sharepoint/settings Endpoint Using CSP Token (401 Unauthorized Error)

mariusz 5 Reputation points
2023-10-21T10:43:57.21+00:00

Hello Microsoft Support,

I am writing to report a critical issue we are facing while attempting to access the /admin/sharepoint/settings endpoint using a Cloud Solution Provider (CSP) token. Our application is encountering a 401 Unauthorized error with the message: "There has been an error authenticating the request."

Problem Description:

  • Endpoint: https://graph.microsoft.com/v1.0/admin/sharepoint/settings
  • Error Message: "There has been an error authenticating the request."
  • HTTP Status Code: 401 Unauthorized

Details:

  • CSP Relationship: Our organization is configured as a CSP partner, and the token is acquired with the necessary permissions.
  • Token: The CSP token is successfully obtained with the appropriate scopes required for accessing the /admin/sharepoint/settings endpoint.
  • Error Context: This issue occurs consistently for all attempts to access the specified endpoint.
  • Steps to Reproduce:
  1. Acquire CSP token using OAuth 2.0 authentication flow.
  2. Make a GET request to the /admin/sharepoint/settings endpoint.
  • Error Handling: We have implemented detailed error logging, and the response from the API only contains the mentioned 401 Unauthorized error message without additional details.

Additional Information:

  • We have double-checked our application permissions and ensured that the necessary Graph API permissions are granted.
  • We have verified the CSP configuration, including trust relationships between our organization and the customer tenant.
  • We have inspected the token claims, confirming that they include the correct audience and scope required for the endpoint.
  • Our network and firewall settings allow outgoing requests to the Graph API endpoint without any restrictions.
  • Rate limiting is not a factor as we are well within the allowed limits for API requests.

This issue is causing a significant disruption to our operations, and we urgently need assistance in resolving it. Any insights, guidance, or specific steps to investigate and resolve this problem would be greatly appreciated.

Thank you for your prompt attention to this matter.

Microsoft Security | Microsoft Graph

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. mariusz 5 Reputation points
    2023-10-23T22:00:39.4866667+00:00

    @CarlZhao-MSFT

    This is an integral component of the token's payload structure; nevertheless, it's important to note that the same token operates effectively with other endpoints, such as /users.

    {
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/85abb5c8-78f3-487b-9bd5-4759764779dh/",
  "iat": 1697884135,
  "nbf": 1697884135,
  "exp": 1697889284,
  "aai": "tenant: f3de7966-6395-4969-8cdc-c05d38eec471, object: 3610bd24-387c-45d5-845a-3264b32e50e7",
  "acr": "1",
  "aio": "AWQAm/8UAAAA3nwnhooBxyD+WZwSVw0fLwlNDWW6TOM++jmGvOzco7Jr1yfrWsfEVGrMG3+JKEnHMIv2X51j5b19izctlt6DkJmBygDBfu2+NlhfaqLSMNWzZu8HLmFLt+NJvQz9kqmT",
  "amr": [
    "pwd",
    "mfa"
  ],
  "app_displayname": "A-20235512071071",
  "appid": "05326290-bf2b-4eaa-9b13-f5fea8a077b1",
  "appidacr": "1",
  "email": "******@acsp1.onmicrosoft.com",
  "idp": "https://sts.windows.net/f3de7966-6395-4969-8cdc-c05d38eec471/",
  "idtyp": "user",
  "ipaddr": "2a00:f41:1c6c:da46:a98f:6c8f:a91c:4c42",
  "name": "A CSP1 Technician",
  "platf": "3",
  "rh": "0.AUYAyLWrhfN4e0ib1UdZdkd53wMAAAAAAAAAwAAAAAAAAACAAIU.",
  "scp": "Application.Read.All AuditLog.Read.All Directory.AccessAsUser.All Directory.ReadWrite.All email Exchange.Manage Group.ReadWrite.All GroupMember.ReadWrite.All IdentityRiskEvent.Read.All IdentityRiskyUser.Read.All Mail.Send openid Organization.Read.All Organization.ReadWrite.All Policy.Read.All Policy.ReadWrite.AuthenticationFlows Policy.ReadWrite.AuthenticationMethod Policy.ReadWrite.Authorization Policy.ReadWrite.ConditionalAccess profile Reports.Read.All ReportSettings.ReadWrite.All SecurityEvents.Read.All SharePointTenantSettings.Read.All SharePointTenantSettings.ReadWrite.All Sites.Read.All Sites.ReadWrite.All User.ReadWrite.All UserAuthenticationMethod.Read.All",
  "sub": "jEWHMm0Hyz_9kURiNELI8W-P3H5I3bfERdJno9WjWZI",
  "tenant_region_scope": "NA",
  "tid": "85abb5c8-78f3-487b-9bd5-4759764779dh",
  "unique_name": "A CSP1 Technician",
  "uti": "Nq07xV87m0igfb4rK3dXAA",
  "ver": "1.0",
  "wids": [
    "62e90394-69f5-4237-9190-012177145e10",
    "5d6b6bb7-de71-4623-b4af-96380a352509",
    "f2ef992c-3afb-46b9-b7cf-a126ee74c451",
    "4a5d8f65-41da-4de4-8968-e035b65339cf",
    "88d8e3e3-8f55-4a1e-953a-9b9898b8876b",
    "f28a1f50-f6e7-4571-818b-6a12f2af6b6c",
    "69091246-20e8-4a56-aa4d-066075b2a7a8",
    "29232cdf-9323-42fd-ade2-1d097af3e4de",
    "729827e3-9c14-49f7-bb1b-9608f156bbb8",
    "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
    "31392ffb-586c-42d1-9346-e59415a2cc4e",
    "fdd7a751-b60b-444a-984c-02652fe8fa1c",
    "744ec460-397e-42ad-a462-8b3f9747a02c",
    "44367163-eba1-44c3-98af-f5787879f96a",
    "32696413-001a-46ae-978c-ce0f6b3620d2",
    "45d8d3c5-c802-45c6-b32a-1d70b5e1e86e",
    "892c5842-a9a6-463a-8041-72aa08ca3cf6",
    "a9ea8996-122f-4c74-9520-8edcd192826c",
    "b5a8dcf3-09d5-43a9-a639-8e29ef291470",
    "baf37b3a-610e-45da-9e62-d9d1e5e8914b",
    "0f971eea-41eb-4569-a71e-57bb8a3eff1e",
    "74ef975b-6605-40af-a5d2-b9539d836353",
    "2b745bdf-0803-4d80-aa65-822c4493daac",
    "6e591065-9bad-43ed-90f3-e9424366d2f0",
    "0964bb5e-9bdb-4d7b-ac29-58e794862a40",
    "e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477",
    "75941009-915a-4869-abe7-691bff18279e",
    "7698a772-787b-4ac8-901f-60d6b08affd2",
    "d37c8bed-0711-4417-ba38-b4abe66ce4c2",
    "11648597-926c-4cf3-9c36-bcebb0ba8dcc",
    "11451d60-acb2-45eb-a7d6-43d0f0125c13",
    "3d762c5a-1b6c-493f-843e-55a3b42923d4",
    "644ef478-e28f-4e28-b9dc-3fdde9aa0b1f",
    "e3973bdf-4987-49ae-837a-ba8e231c7286",
    "fcf91098-03e3-41a9-b5ba-6f0ec8188a12",
    "3a2c62db-5318-420d-8d74-23affee5d9d5",
    "31e939ad-9672-4796-9c2e-873181342d2d",
    "8835291a-918c-4fd7-a9ce-faa49f0cf7d9",
    "f70938a0-fc10-4177-9e90-2178f8765737",
    "eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c",
    "38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4",
    "4d6ac14f-3453-41d0-bef9-a3e0c569773a",
    "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
    "c4e39bd9-1100-46d3-8c65-fb160da0071f",
    "9f06204d-73c1-4d4c-880a-6edb90606fd8",
    "cf1c38e5-3621-4004-a7cb-879624dced7c",
    "8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2",
    "7be44c8a-adaf-4e2a-84d6-ab2649e08a13",
    "158c047a-c907-4556-b7ef-446551a6b5f7",
    "be2f45a1-457d-42af-a067-6ec1fa63bc45",
    "95e79109-95c0-4d8e-aee3-d01accf2d47b",
    "966707d0-3269-4727-9be2-8c3a10f19b9d",
    "fe930be7-5e62-47db-91af-98c3a49a38b1",
    "e8611ab8-c189-46e8-94e1-60213ab1f814",
    "8329153b-31d0-4727-b945-745eb3bc5f31",
    "f023fd81-a637-4b56-95fd-791ac0226033",
    "b0f54661-2d74-4c50-afa3-1ec803f12efe",
    "7495fdc4-34c4-4d15-a289-98788ce399fd",
    "790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b",
    "5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91",
    "d29b2b05-8046-44ba-8758-1e26182fcf32",
    "75934031-6c7e-415a-99d7-48dbd49e875e",
    "194ae4cb-b126-40b2-bd5b-6091b380977d",
    "ac16e43d-7b2d-40e0-ac05-243ff356ab5b",
    "3edaf663-341e-4475-9f94-5c398ef6c070",
    "17315797-102d-40b4-93e0-432062caca18",
    "9360feb5-f418-4baa-8175-e2a00bac4301",
    "5f2222b1-57c3-48ba-8ad5-d4759f1fde6f",
    "e6d1a23a-da11-4be4-9570-befc86d067a7",
    "aaf43236-0c0d-4d5f-883a-6955382ac081",
    "0526716b-113d-4c15-b2c8-68e3c22b9f80",
    "c430b396-e693-46cc-96f3-db01bf8bb62a",
    "9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f",
    "08372b87-7d02-482a-9e02-fb03ea5fe193"
  ],
  "xms_st": {
    "sub": "f_bXnwLjG-o9bn77RJ9onZs9HorguFQEjskd9L6jtsE"
  },
  "xms_tcdt": 1637381990
}

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.