I have been trying to access a Sharepoint site (from a Teams Group) from ADF or via Rest Services with no luck:
Here is what we've done:
- We have followed instructions to register the app in the appregnew.aspx menu.
- Also we have granted read access in te appreginv.aspx menu with the following config
<AppPermissionRequests AllowAppOnlyPolicy="true"><AppPermissionRequest
Scope="http://sharepoint/content/sitecollection/web"
Right="Read"/></AppPermissionRequests>
- And we can see the app correctly registered in the appprincipals.aspx of the site.
And here what we got
- We can get a token by calling https://accounts.accesscontrol.windows.net/XXXXX/tokens/OAuth/2
- We can call correctly to Connect-PnPOnline
- We only get 403 errors when trying to call the _api/web endpoints
- We also get 403 errors when trying to use Get-Pnpxxx commands from PowerShell
- We get a coud not get OData-metadata error when trying to create a Linked Service in Azure Data Factory with this credentials.
We've done this in two different sharepoint online domains. It turns it works just fine in the one used as a Proof-of-Concept where I am the admin/owner/creator of the Teams Group that holds de Sharepoint (I'm not an admin for the ShP domain). For the other one I still not have confirmation that the person that registered the app and set the permissions is the owner/creator of the Teams Group but he does have permission to grant access to users.
¿What could be the reasons of this forbidden access response? I can only think of two reasons for it but I don't know how to check them:
- AppOnly access disabled in the Sharepoint Online domain (¿How can we check?)
- Granting user not being the site Owner/Creator (I'm currently trying to check) since I've read some responses in this direction but I cannot find an explanation.
Sharepoint Online admins might not be easily available since the sharepoint domain is owned by a big holding and we are working for a newly created growing subsidiary ,so we tried this approach that seemed to need only Sharepoint site admins to register the permission.
Edit
It is Working now. A Teams Channel is a sharepoint site by itself and grants given at the sharepoint site of the Teams Group holding the channel do not pass through.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 71%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 38%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETZ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 44%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)