Share via

How can I access SharePoint API methods via Microsoft Graph API with the OAuth 2.0 client credentials flow?

João Pinto 30 Reputation points
2024-01-05T11:55:16.29+00:00

Hello, everyone.

I'm trying to achieve the following use case:

I have a Web app and I want to be able to store files on the user's SharePoint if they want to. This is an organization wide setting on my app that can be enabled by an admin. The idea is that the admin of the organization that wants to enable this integration grants consent via the client credentials flow and from that moment on I can access their SharePoint via the Microsoft Graph API.

I followed the following tutorial https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow and I am getting the access token via the "Access token request with a shared secret" approach where I'm setting the scope to "https://graph.microsoft.com/.default" and the grant_type to "client_credentials".

However when I use that token to interact with the Sharepoint API methods I always get the:

{
    "error": {
        "code": "accessDenied",
        "message": "Access denied",
        "innerError": {
            "date": "2023-12-22T11:43:51",
        }
    }
}

Some more generic ones will work, like https://graph.microsoft.com/v1.0/users.

I'm trying to call the https://graph.microsoft.com/v1.0/sites/root/lists endpoint to test this, which on the https://developer.microsoft.com/en-us/graph/graph-explorer/ requires the following permissions:

r/AZURE - How can I access SharePoint API methods via Microsoft Graph API with the OAuth 2.0 client credentials flow?

And I have them for my app:

r/AZURE - How can I access SharePoint API methods via Microsoft Graph API with the OAuth 2.0 client credentials flow?

And they even show on the consent form for the admin:

r/AZURE - How can I access SharePoint API methods via Microsoft Graph API with the OAuth 2.0 client credentials flow?

However when inspecting the access token that I'm getting on https://jwt.ms/ the roles field only has the following:

"roles": [
    "SharePointTenantSettings.ReadWrite.All",
    "SharePointTenantSettings.Read.All"
  ]

What am I missing or doing wrong?

Microsoft 365 and Office SharePoint For business Windows
Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Microsoft Graph
0 comments
Accepted answer
  1. AsithwMSFT 1,445 Reputation points Microsoft External Staff
    2024-01-06T22:46:04.54+00:00

    It appears that you have chosen both the Microsoft Graph API scopes and SharePoint REST API scopes.

    However, the access tokens generated for Microsoft Graph resources are not valid for the SharePoint REST API.

    Currently, you have selected the Sites.Read.All permission for the SharePoint REST API (as shown in your image).

    You could instead select the Sites.Read.All permission from the MS Graph , generate a new access token, and then call the API(https://graph.microsoft.com/v1.0/sites/root/lists)

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment"

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.