Calling SharePoint REST API from a Teams Tab with single sign-on (SSO)

Nikolay Belykh 1 Reputation point

I have a Teams Tab application with single sign-on (SSO) that needs to do some manipulations with the team's site. I understand this can be done with graph API, and it works perfectly (there are examples available). However graph sharepoint api is very limited; for example, I would like to create a view of a list, and a page. Graph API does not provide this.

So I would like to do the things I need to do with REST API (or CSOM). For that, I need a proper access token to be able to call it. If I try to grat access to SharePoint app registration (i.e. giving sharepoint read permission for example in addition to "Sites.Read.All" graph permission), it does not seem to work. I keep getting error "Invalid issuer or signature" when trying to call into SharePoint REST API. How can I overcome this?

There are examples that illustrate this flow for graph.
My problem is that this flow does not work for APIs other than graph (SharePoint REST API in particular)

What I do:

  1. Get teams client token using microsoftTeams.authentication.getAuthToken()
  2. Trade this token server-side using{tid}/oauth2/v2.0/token endpoint for access token (
  3. Call the API ===<<<< here I would like to be able to call SharePoint REST API (graph API call succeeds). However, if I try to, even if the token contains all possible "SharePoint" permissions, I keep getting the error "Invalid issuer or signature". To clarify:

This call works:
This call fails: https://{tenant}

Similar question:

Microsoft Teams Development
Microsoft Teams Development
Microsoft Teams: A Microsoft customizable chat-based workspace.Development: The process of researching, productizing, and refining new or existing technologies.
2,077 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Mamatha-MSFT 146 Reputation points

    Posting the Answer for better knowledge
    Copying from @Nikolay Belykh comments

    Got a working answer from Jeremy Kelley here:

    You need to put the scope of "https://{your-target-domain}/.default" (or "https://{your-target-domain}/AllSites.Read", etc) in the grant flow.
    Then you need to put the same scope in the on-behalf-of flow.

    It is just when you register app in AzureAD, the sharepoint-scope is shown as ""; but you should NOT use this when requesting the token but instead you should use the target domain for which you are requesting the token. In both calls (grant and then exchange). The URL in the azure ad portal seems to be just an example URL, not the real scope URL one should use.

    0 comments No comments

  2. Justin Jia 306 Reputation points

    i want to call core web api securitied by microsoft-identity-web

    how do i setup the scope ?

    0 comments No comments