question

AniruddhaAditya-3867 avatar image
0 Votes"
AniruddhaAditya-3867 asked Jerryzy answered

oAuthToken Generation issue

Hi,
I am reading the SharePoint Online Activity Event. I have been told to connect using AppID and ThumbPrint. All works to connect to SPO but not the same when I try to connect to Office 365 event log. I have given all the appropriate permission for the App in the AD App registration section. I suspect something is wrong with the code snippet and not able to fix it yet.


Check the SPO Event - Sharing and M365 EveryOne Update event

$body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri "$loginURL/$TenantGUID/oauth2/token?api-version=1.0" -Body $body
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
$oCheckSubscriptions = Invoke-RestMethod -Headers $headerParams -Uri "$resource/api/v1.0/$TenantGUID/activity/feed/subscriptions/list"

The above code works using AppID and AppSecret. However when i change to using self signed certificate from Keyvault. I don't get the oAuth Token.

Check the SPO Event - Sharing and M365 EveryOne Update event

$body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID}
$oauth = Invoke-RestMethod -Method Post -Uri "$loginURL/$TenantGUID/oauth2/token?api-version=1.0" -Body $body -CertificateThumbprint <mythumbprint>
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
$oCheckSubscriptions = Invoke-RestMethod -Headers $headerParams -Uri "$resource/api/v1.0/$TenantGUID/activity/feed/subscriptions/list"
Write-Host $oauth.access_token


Please note I am using Azure Function and able to access SPO using the same.

Current Error:

2021-04-11T14:40:20.917 [Error] ERROR: Response status code does not indicate success: 401 (Unauthorized).Exception :Type : Microsoft.PowerShell.Commands.HttpResponseExceptionResponse : StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:{Cache-Control: no-store, no-cachePragma: no-cacheStrict-Transport-Security: max-age=31536000; includeSubDomainsX-Content-Type-Options: nosniffP3P: CP="DSP CUR OTPi IND OTRi ONL FIN"x-ms-request-id: c46f58a3-5dda-48b8-80b1-eb3639b84500x-ms-ests-server: 2.1.11562.11 - NCUS ProdSlicesSet-Cookie: fpc=AtdELK5lfcNKpnx4almjgu8; expires=Tue, 11-May-2021 14:40:19 GMT; path=/; secure; HttpOnly; SameSite=NoneSet-Cookie: x-ms-gateway-slice=estsfd; path=/; secure;



office-sharepoint-online
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Jerryzy avatar image
0 Votes"
Jerryzy answered

Hi @AniruddhaAditya-3867 ,

If want to use Certificate for getting the oauth token, it's necessary to append "client_assertion_type" and "client_assertion" to replace client_secret:

87372-snipaste-2021-04-13-17-35-55.png

Microsoft identity platform and the OAuth 2.0 client credentials flow

The "client_assertion" is difficult to generate based on the documentation here:

Microsoft identity platform application authentication certificate credentials

So if possible, I suggest you could still use Client_Secret as the authentication option instead of the Certificate.


Thanks
Best Regards



If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.