Share via

Audience URL for using Sharepoint REST Request

Harsha Jha 61 Reputation points
2025-05-30T20:32:53.8266667+00:00

image

I want to stop using the native "Send an HTTP request to SharePoint" connector, which relies on my UPN and password. Instead, I want to use the HTTP connector with a service principal (client ID and secret) to reduce dependency on my user account.

I’ve attempted to replicate the same task—such as sending a request to SharePoint's REST API—using the HTTP connector. However, the HTTP request keeps failing with the following error:

BadRequest HTTP request failed as there is an error getting AD OAuth token: 'AADSTS500011: The resource principal named https://.sharepoint.com/_api/web/lists was not found in the tenant named {Tenant Name}. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.'

From my investigation, everything in the HTTP request appears correct—except the audience URL. I suspect the failure is due to using an incorrect resource or audience URL when acquiring the OAuth token.

My request: Can you help identify the correct audience URL to use for authenticating SharePoint REST API calls via the HTTP connector using a service principal? I want it to function similarly to how it works with Microsoft Graph API using https://graph.microsoft.com.

Microsoft 365 and Office | SharePoint | For business | Windows
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jacob Graham 0 Reputation points
    2025-05-31T02:16:10.17+00:00

    For SharePoint Online, the Audience (i.e. “resource/app URI”) must be the SharePoint‐sites endpoint itself – not the REST URL. In other words, if your tenant is contoso.onmicrosoft.com, set Audience to:

    arduino
Copy
https://contoso.sharepoint.com

    (or, when using the v2.0 endpoint, you can use https://contoso.sharepoint.com/.default as your scope).

    Why this works this way.

    • The HTTP connector’s Audience field is the AAD “resource” (also known as the AppID URI) you’re requesting a token for.

    If you put the full REST path (e.g. https://contoso.sharepoint.com/_api/web/lists), AAD tries to find an app registration with that exact AppID URI – which doesn’t exist, hence the AADSTS500011 error.

    By using https://<tenant>.sharepoint.com (or https://<tenant>.sharepoint.com/.default for v2), you tell Azure AD “give me an OAuth token that’s valid to call any SharePoint Online REST API under that site.”

    Example Configuration

    Authority

    arduino
Copy
https://login.microsoftonline.com/{YourTenantID-or-TenantDomain}

    Tenant

    scss
Copy
contoso.onmicrosoft.com   (or your Tenant ID GUID)

    Audience

    arduino
Copy
https://contoso.sharepoint.com

    – or (for v2)

    arduino
Copy
https://contoso.sharepoint.com/.default

    Client ID – Your service principal’s Application (client) ID

    Credential type – Secret

    Secret – The client secret for your SPN

    With that setup, when the Logic App does its “AD OAuth” handshake, it will request a token from AAD for the resource https://contoso.sharepoint.com. Once you have that token, you can point your HTTP action at any SharePoint REST endpoint (e.g. https://contoso.sharepoint.com/_api/web/lists) and the call will succeed.For SharePoint Online, the Audience (i.e. “resource/app URI”) must be the SharePoint‐sites endpoint itself – not the REST URL. In other words, if your tenant is contoso.onmicrosoft.com, set Audience to:

    arduino
Copy
https:

    (or, when using the v2.0 endpoint, you can use https://contoso.sharepoint.com/.default as your scope).

    Why this works

    The HTTP connector’s Audience field is the AAD “resource” (also known as the AppID URI) you’re requesting a token for.

    If you put the full REST path (e.g. https://contoso.sharepoint.com/_api/web/lists), AAD tries to find an app registration with that exact AppID URI – which doesn’t exist, hence the AADSTS500011 error.

    By using https://<tenant>.sharepoint.com (or https://<tenant>.sharepoint.com/.default for v2), you tell Azure AD “give me an OAuth token that’s valid to call any SharePoint Online REST API under that site.”

    Example Configuration

    Authority

    arduino
Copy
https:

    Tenant

    scss
Copy
contoso

    Audience

    arduino
Copy
https:

    – or (for v2)

    arduino
Copy
https:

    Client ID
    – Your service principal’s Application (client) ID

    Credential type
    – Secret

    Secret
    – The client secret for your SPN

    With that setup, when the Logic App does its “AD OAuth” handshake, it will request a token from AAD for the resource https://contoso.sharepoint.com. Once you have that token, you can point your HTTP action at any SharePoint REST endpoint (e.g. https://contoso.sharepoint.com/_api/web/lists) and the call will succeed.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.