Cannot set up OAuthentication - sharepoint

We are trying to connect an internal application to Sharepoint 365. The goal is to read data from Sharepoint 365 lists and Excel documents. We want to take advantage of the fact we already use OAuthentication and basically our users login with their own Windows credentials. Now, to accomplish that we first need to register an application with Sharepoint which we did using this link:
https://mycompany.sharepoint.com/sites/MySite/_layouts/15/appregnew.aspx
After that we also need to get an authorization code for clients to login with their Windows account. We do that with this URL:
https://mycompany.sharepoint.com/sites/MySite/_layouts/15/OAuthAuthorize.aspx?client_id=14f0e39c-1234-42ea-bed5-ee5c7c834655&scope=List.Read&response_type=code&redirect_uri=https%3A%2F%2Fmysite.mycompany.com%3A9090%2Foauth%2F2.0%2FredirectURL.jsp
When we run that last link we get the error below:
Sorry, something went wrong
There is no claims identity. Please make sure the web application is configured to use Claims Authentication.
TECHNICAL DETAILS
Troubleshoot issues with Microsoft SharePoint Foundation.
Correlation ID: 367ee69f-5066-0000-e1ef-cee55f7b7000
As you can see, the error is not very helpful. I have done already lots of research and answers vary from lack of higher level of access, to invalid URL request. I have elevated access and the URL is well constructed. Yet the error persist.
So, my question, what is the meaning of the error? Why is not executing?

We logged a Microsoft Premier Support ticket and behold! the problem has been fixed.

Related

Error OrganizationFromTenantGuidNotFound when accessing messages Azure

I get the error "OrganizationFromTenantGuidNotFound" while trying to access to my inbox messages.
To explain I am trying to develop an app and in this app I need to access my inbox e-mails.
So I try to use the Outlook API and for that I created an APP with all demanded permissions "Email.Read, Email.ReadBasics, Emails.ReadAll...". I have an Office 365 Family subscription, and an active paid azure subscription. My question is why getting my personal information works '/users/{user-id}' but when accessing to emails I got this error ? I read a lot of docs and never get an answer... Maybe my subscription does not get me access to Microsoft Exchange Online License, or due to my old microsoft address "...#live.com" maybe it is not compatible, I dont't know, if someone can help me to clear it out, would be great. Oh, and abviously my Office 365 and Azure account are the same.
I tried, with 'client credentials flow authentication' (which give me the error 'need more privileges'), went back to Authorization Code Flow Atuhentication but then I get the OrganizationFromTenantGuidNotFound error. But only on /messages endpoint, the endpoint users/{user-id} works. Obviously I tried all threads I found, even with an Office 365 Developer account but don't really see the correlation with my problem here.

Blueprism Code Producing 403 Forbidden Error

I am trying to use Blueprism to download pdf files from Sharepoint.
I am using the below code. Url and Path are both variables which get passed through. This is producing a 403 forbidden error. I believe that Blueprism is required to pass credentials to Sharepoint before it will be allowed to download the file. Is this possible?
Using wc As New System.Net.WebClient()
wc.DownloadFile(Url, Path)
End Using
I don't think you have a password related issue, likely the SharePoint is recognising your account access via AD group or SSO of some kind. 403 means the server has understood your request but is denying to fulfil it because of an access reason on the profile you have. Make sure you can manually download the file on the profile you are emulating for a start then also check the profile the bot is operating under (not necessarily yours in some cases ) has access to said file.
Literally 403 is a request that relates to an access issue so somewhere something doesn't have the correct access lined up
First of all, is this a Sharepoint Online or OnPremises version? As you understand, you are connecting to web resource via an API and as such you have to get authenticated and authorized to access those resources.
If it's SPO, you can use the API component for SharePoint integration from DX and configure.
In case of SP On prem, you have to customize a lot to achieve your results.

Conditional access blocks onedrive from within another app

Something I can't seem to wrap my head around:
Enabled CA for Exchange Online and Sharepoint online to be accesible only from Intune compliant devices, works great.
On my iPhone I downloaded the Sharepoint app, logged in, and that works great. Same for the Onedrive app.
But when I try access either Sharepoint or Onedrive from another app (PDF-Expert to edit PDF's), it gives an error message:
Login failed, please try again later.
When I look at the user sign-ins, I see a successful login from the PDF-exert app, and when I turn off CA for Sharepoint online, I can successfully add both the Onedrive and Sharepoint source in the PDF-expert app. I've experimented with the "client apps" and selected everything and nothing, but that makes no difference.
Any ideas where to look further?
Here is a picture of my configured CA.
Note: currently it's one user who uses this, but exempting that user from CA beats the purpose of having CA, so that's not an option.
After contact with support and the support team from the PDF-Expert app we discovered that the issue lies with the app.
As far as we've understood from your logs, your OneDrive account requires MDM support which is not available in PDF Expert app. Our developers already aware of the issue with such accounts so they'll consider adding OneDrive MDM support in the future versions of PDF Expert app.
Now we wait until they make an update to support this.

Configuring Group site with harmon.ie

We are using Harmom.ie for Outlook to save e-mails and documents in SharePoint sites. Recently we started to use the Planner and Groups and we want to use Harmon.ie to save documents and emails into group sites. In Harmon.ie there is an option to enable groups sites. We have done that. When doing this an Office 365 Global admin must give consent. We also done that. However when a user try to access they are not allowed to access. According to the documentation something need to be set up on Azure giving the add proper Graph access.
The question is. How do we do this??? has anyone else got this to work? When we access the app on Azure there is not much we can do?
We are stock! any help will be much appreciated.
There are different ways to solve this. Harmon.ie also allows you to connect to teams & groups - and I suppose this is what you tried to do. We also did this. It was a little bit complex - but after some communication with the harmon.ie support, we got it working.
However, I am proposing a different way to solve your problem. Why? Currently, the problem with this teams and groups connection is, that you are not getting all the functionality of normal site connection (if you connect a SharePoint site to: https://www.harmon.ie). You are only going to see the documents library of your office group - and nothing else. But as an office group just uses a normal SharePoint Site, you could also have other libraries created.
What you can do is, get
1. get the site url (every office group has a SharePoint-Site behind)
2. and book it into harmon.ie manually
You will than have access to the document libraries.
for this solution, you do not need any additional configuration of teams and groups access.

Azure AD application preconsent not working

(Related to this question)
I have an application that should be automatically usable for all customer tenants, and therefore tried this tutorial to enable preconsent.
After doing the Powershell commands and getting again the application, I can see that it is enabled:
PS C:\Windows\system32> $graphResponse.value.recordConsentConditions
SilentConsentForPartnerManagedApp
However, when creating a new tenant(or using an existing one) and trying to access Microsoft Graph's /users call, I get a 500 error until I navigate to https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={0}&prompt=admin_consent (with {0} being the cliendId of the app), sign in as an admin and accept the delegation.
Am I missing a step here?
After a contact with Microsoft support, this is a bug on their side. They told me yesterday that the engineer team acknowledged it. It will be fixed.
In order to query the MS Graph, your app will need to be granted the appropriate permissions by an end user or by an administrator of the tenant. Usually the best way to acquire consent from an administrator is by using the prompt=admin_consent parameter, as you've done above.
If for some reason you must do so via powershell, you can create an oAuth2PermissionGrant object using a consentType of AllPrincipals.
Personally I wouldn't recommend using the recordConsentConditions property. It's only there for legacy reasons - I don't even know what it does.

Resources