Unable to upload files to sharepoint using App only authentication.

Question

Unable to upload files to sharepoint using App only authentication.

stramzik 156

I am trying to upload files to Sharepoint via a Python code. I can use my personal AD credentials to authenticate using the below code and it works fine to upload files to Sharepoint.

from office365.runtime.auth.authentication_context import AuthenticationContext
    from office365.sharepoint.client_context import ClientContext
    import os 
    from office365.runtime.auth.user_credential import UserCredential
    from office365.runtime.auth.client_credential import ClientCredential

    baseurl = 'https://company.sharepoint.com/'
    basesite = '/sites/testsitename' # every share point has a home.
    siteurl = baseurl + basesite 

    localpath = r"C:\Users\Desktop\testfolder\pandas_table.xlsx"
    remotepath = "Shared Documents/testfolder/file.xlsx" # existing folder path under sharepoint site.

    ctx_auth = AuthenticationContext(siteurl)
    ctx_auth.acquire_token_for_user("username", "password")
    ctx = ClientContext(siteurl, ctx_auth)

    with open(localpath, 'rb') as content_file:
        file_content = content_file.read()

    dir, name = os.path.split(remotepath)
    file = ctx.web.get_folder_by_server_relative_url(dir).upload_file(name, file_content).execute_query()

I had an app registered from our Cloud team and added necessary permission on the Service principle to write files using the Service principles Client ID and Client secret. I modified the above code using the Client Credentials based on the Office365 Python documentation and The web object returns empty json. Can somebody please tell me what I am doing wrong?

from office365.runtime.auth.authentication_context import AuthenticationContext
from office365.sharepoint.client_context import ClientContext
import os 
from office365.runtime.auth.user_credential import UserCredential
from office365.runtime.auth.client_credential import ClientCredential

baseurl = 'https://company.sharepoint.com/'
basesite = '/sites/testsitename' # every share point has a home.
siteurl = baseurl + basesite 

localpath = r"C:\Users\Desktop\testfolder\pandas_table.xlsx"
remotepath = "Shared Documents/testfolder/file.xlsx" # existing folder path under sharepoint site.

client_credentials = ClientCredential("{cliend-id}","{cliend-secret}")
ctx = ClientContext(siteurl).with_credentials(client_credentials)

with open(localpath, 'rb') as content_file:
    file_content = content_file.read()

dir, name = os.path.split(remotepath)
file = ctx.web.get_folder_by_server_relative_url(dir).upload_file(name, file_content).execute_query()

RaytheonXie_MSFT 16,981 Reputation points Microsoft Vendor

2022-02-02T01:27:02.593+00:00

Hi @stramzik ,
Could you share about the error message and the steps you register App only authentication?
stramzik 156 Reputation points

2022-02-02T04:59:21.657+00:00

@RaytheonXie_MSFT
O/p of the ctx.web.execute_query().properties returns an empty JSON string. However while using my actual AD credentials the o/p is a valid json with information about the sharepoint site.
Please note I'm using the ClientCredential() function for the Client ID and Client secret. If I use the Client ID and Client secret in the AuthenticationContext() function as shown in the first block replacing username password. I get "Cannot get binary security token for from https://login.microsoftonline.com/extSTS.srf" error.

I am not really certain what steps were followed by my IT team. They said the required permission has been added to the service principle.
If my code is correct then its most likely the permissions are incorrect should I ask them to folllow the steps in this : https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs#setting-up-an-app-only-principal-with-tenant-permissions documen?

RaytheonXie_MSFT 16,981 Reputation points Microsoft Vendor

2022-02-02T01:27:02.593+00:00

Hi @stramzik ,
Could you share about the error message and the steps you register App only authentication?
stramzik 156 Reputation points

2022-02-02T04:59:21.657+00:00

@RaytheonXie_MSFT
O/p of the ctx.web.execute_query().properties returns an empty JSON string. However while using my actual AD credentials the o/p is a valid json with information about the sharepoint site.
Please note I'm using the ClientCredential() function for the Client ID and Client secret. If I use the Client ID and Client secret in the AuthenticationContext() function as shown in the first block replacing username password. I get "Cannot get binary security token for from https://login.microsoftonline.com/extSTS.srf" error.

I am not really certain what steps were followed by my IT team. They said the required permission has been added to the service principle.
If my code is correct then its most likely the permissions are incorrect should I ask them to folllow the steps in this : https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs#setting-up-an-app-only-principal-with-tenant-permissions documen?

Answer 1

RaytheonXie_MSFT 16,981 Microsoft Vendor

Hi @stramzik ,
I will recommend you to grant access using SharePoint App-Only by the document you have provided. Before you grant Access you could run this cmdlet first Set-SPOTenant -DisableCustomAppAuthentication $false.For new SharePoint subscription Grant App Permission is disabled by default or the browser link https://xxxx-admin.sharepoint.com/_layouts/15/appinv.aspx is disabled. To enable this feature, we need to connect to SharePoint using Windows PowerShell and then run the cmdlet.

 Install-Module -Name Microsoft.Online.SharePoint.PowerShell  
 $adminUPN="<the full email address of a SharePoint administrator account, example: jdoe@contosotoycompany.onmicrosoft.com>"  
 $orgName="<name of your Office 365 organization, example: contosotoycompany>"  
 $userCredential = Get-Credential -UserName $adminUPN -Message "Type the password."  
 Connect-SPOService -Url https://$orgName-admin.sharepoint.com -Credential $userCredential  
 set-spotenant -DisableCustomAppAuthentication $false

Afterward, you can follow the document steps to grant access.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

RaytheonXie_MSFT 16,981 Reputation points Microsoft Vendor

2022-02-03T08:27:30.067+00:00

Hi @stramzik ,
I am checking to see if the problem has been resolved.
stramzik 156 Reputation points

2022-02-03T08:37:13.557+00:00

@RaytheonXie_MSFT Apologies on the delay. I dont have admin access and the admin is on leave. Once he's back we'll follow the steps you have mentioned and keep you posted on the same. Thank you for your response.
RaytheonXie_MSFT 16,981 Reputation points Microsoft Vendor

2022-02-07T01:09:45.993+00:00

Hi @stramzik ,
You could try the solution I provided. If there's anything you'd like to know, don't hesitate to ask.
stramzik 156 Reputation points

2022-02-10T03:55:01.277+00:00

hi @RaytheonXie_MSFT
I did check with the Architect for more information and here's what I know.
I already had a Service Principle which I've been using for Data Bricks/Datalake and Data factory authentication. When i requested for access role "Site.Selected" was added to Sharepoint API Permissions.

With that said the Python code snippet mentioned in the query might be at fault, because we have other teams using a PowerShell script with the same permission able to write to sharepoint. Unfortunately I can use a PowerShell script. Could you please share a Python code sample which helps us to connect to sharepoint and upload files?
RaytheonXie_MSFT 16,981 Reputation points Microsoft Vendor

2022-02-11T09:41:44.333+00:00

Hi @stramzik ,
Since the issue is about Python. Our support scope is sharepoint. I feel regretful to inform you that we are unable to provide support in Python. You might can get some more professional answer in forum for Python
stramzik 156 Reputation points

2022-02-11T09:45:33.84+00:00

@RaytheonXie_MSFT apart from the code if the role "Site.Selected" was added to an already existing service principle would that suffice?
RaytheonXie_MSFT 16,981 Reputation points Microsoft Vendor

2022-02-14T07:24:59.243+00:00

Hi @stramzik ,
Per my test, In c# code with Sites.Selected permissions, when uploading large files (>4mb) using method ChunkedUploadProvider or LargeFileUploadTask, we would get the accessDenied error. So if you want to upload large file. higher permission is necessary.
stramzik 156 Reputation points

2022-02-14T07:33:31.267+00:00

Hi @RaytheonXie_MSFT Thank you for looking into this. Can you you advise what permission needs to be added for this to work on an already existing Service Principle?
RaytheonXie_MSFT 16,981 Reputation points Microsoft Vendor

2022-02-14T07:38:05.92+00:00

Hi @stramzik ,
In my case, Files.ReadWrite.All is enough to upload files to sharepoint.
stramzik 156 Reputation points

2022-02-14T07:40:47.163+00:00

@RaytheonXie_MSFT Thank you for all your help.

Unable to upload files to sharepoint using App only authentication.

0 additional answers

Activity