Sharepoint Online REST API with Azure AD v2.0 authentication - azure

Is it possible to authenticate to Sharepoint Online REST API with Azure AD application v2.0 authentication? If yes, which scope should I use for requesting my permissions. Now (for MS Graph API usage) I request "https://graph.microsoft.com/.default" as scope but didn't find any alternative to this for Sharepoint Online REST API.
I already registered an application on apps.dev.miscrosoft.com, this application is available on portal.azure.com. There I have added required permissions for Sharepoint Online.

Yes you can. To do this first you need to get a new access token using a regular refresh token you got for the graph already:
POST https://login.microsoftonline.com/{{tenantName}}/oauth2/v2.0/token
Except this time pass the following for the scope header:
https://{{tenantName}}.sharepoint.com/Sites.Read.All
Your application will need to already be consented for this scope etc...
The response will give you can access token that can be used again SPO APIs.

It should be the same authentication with Azure AD, the scope you are looking for should be the Site scopes.
https://learn.microsoft.com/en-us/graph/permissions-reference?view=graph-rest-beta#sites-permissions
Do not have SharePoint sites to check but if permission are granted to the application you should be able to query SharePoint site using Azure Graph APIs.
https://learn.microsoft.com/en-us/graph/api/resources/sharepoint?view=graph-rest-beta
Overview
https://learn.microsoft.com/en-us/graph/sharepoint-concept-overview

Related

How to access Microsoft Graph API with a SharePoint App-Only registration

Is there a way to use the Bearer token provided by a SharePoint App-Only¹ registration, to get access for Microsoft Graph features² like Drive list, Excel Create TableRow³, etc?
I was able to get a token using the example "Using this principal in your application without using the PnP Sites Core library", but when I tried to list sites, for example I got not authorized exception
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
https://learn.microsoft.com/pt-br/graph/overview?view=graph-rest-1.0
https://learn.microsoft.com/en-us/graph/api/table-post-rows?view=graph-rest-1.0&tabs=http
Token for SharePoint App-Only and token for Microsoft Graph cannot be used vice versa.
Apps registered in for SharePoint App-Only and Microsoft Graph have different client id, etc.
Also permissions scopes are totally different.

Azure Graph Booking API for public application

I would like to use MS Graph Booking API for publicly available application.
Users are going to login with identity providers but obviously are not in our Azure AD.
Per my understanding, it's possible to access this API only with delegated AD user permissions.
Also as I see Azure B2C AD users seem to not have access to MS Graph API.
Question: Is there a way to expose and use MS Graph Booking API by users who are in our database or in Azure B2C AD?
I am afraid there is no such way. To use Microsoft Graph API, we need to provide the appropriate access tokens for the corresponding operations, and we must get the access token from the Microsoft identity platform(formerly Azure Active Directory for developers).
The steps are:
Register your app with Azure AD.
Get authorization.
Get an access token.
Call Microsoft Graph with the access token.

Sharepoint online 'Unsupported app only token.'

I got myself a bearer token by calling https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token with the scope https://{tenantName}.sharepoint.com/.default
It's a token for a registered app in Azure AD.
When I use that token to make an API call like https://infoinnobake.sharepoint.com/_api/search/query?querytext='contentclass:STS_Site contentclass:SP.Webb'&selectproperties='Title,Path'&rowlimit=500
I only reveice 401 Unsupported app only token.
can some explain why? Is it possible to access the sharepoint online API with an registered App on Azure AD?
Follow this guide right here:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
you need to create a certificate and upload the certificate to the registered app. Than you can use the API or the SharepointClient in various programming languages
We had a similar issue (with slightly different error message: 'Token type is not allowed') when using app-only, ClientID / ClientSecret based authentication in a tenant, that was recently created. In our old tenant (created in 2013) we could use the same authentication method without any problem. As it turned out, new tenants have a standard setting in DisableCustomAppAuthentication property, that disable this kind of auth., however it can be overriden using this command:
Set-SPOTenant -DisableCustomAppAuthentication $false
Source:
https://sharepoint.stackexchange.com/questions/284402/sharepoint-online-authorization-issue-token-type-is-not-allowed
https://sharepoint.stackexchange.com/questions/286693/getting-invalid-request-token-type-is-not-allowed-error-while-accessing-lists
Furthermore:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
Azure Access Control (ACS), a service of Azure Active Directory (Azure
AD), has been retired on November 7, 2018. This retirement does not
impact the SharePoint Add-in model, which uses the
https://accounts.accesscontrol.windows.net hostname (which is not
impacted by this retirement). For more information, see Impact of
Azure Access Control retirement for SharePoint Add-ins. For new
tenants, apps using an ACS app-only access token is disabled by
default. We recommend using the Azure AD app-only model which is
modern and more secure. But you can change the behavior by running
‘set-spotenant -DisableCustomAppAuthentication $false' (needs the
latest SharePoint admin PowerShell).
More details:
https://www.koskila.net/literally-breaking-changes-to-app-authentication-on-sharepoint-%F0%9F%98%B5

SP Online REST API Issue when uses AZURE Access token

My requirement is described below.
User uploads the document through web-app and document saves in to shared location.
Application service (cron job or server code) , selects the documents and extracts the details.
Cron job send the details to SharePoint rest api which is protected by azure AD. (Oauth protocol)
I have a valid AZURE client ID and Secret ID which has application level access permission. I got access token by using AZURE client ID and Secret ID from AZURE AD with help of simple JAVA code but am getting following error when i call sharepoint online REST service using Oauth access token.
Error : {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}
What does it mean? Can anyone help me resolve the issue ?
As SharePoint Online has strict safety standards, authentication for working with REST API consists of three steps:
1.Get the security token from Microsoft authentication portal.
2.Get the cookies from the SharePoint Online server.
3.Get the signature for requests to the SharePoint Online server.
More information is here:
http://www.wave-access.com/public_en/blog/2015/june/23/java-service-integration-with-sharepoint-online-via-rest-api.aspx
Access Office 365 from JAVA, we can use Office 365 SDKs for Java.
https://github.com/OfficeDev/Office-365-SDK-for-Java

Microsoft Dynamics CRM OAuth Integration

I need to integrate my web application (multi-tenant SaaS product) into my users' Dynamics CRM so it can pull their data.
I have learnt that Azure Active Directory apps can take care of such integrations (OAuth) but I cannot figure out how my users can grant my app access to their Dynamics CRM data.
Apparently, every user of mine should create an Azure AD app (with access to their Dynamics CRM account) and then my Azure AD app should be authorised to make requests on behalf of their AD app.
I have no idea how I can make this process work.
Any advice would be much appreciated.
For Dynamics CRM versions 2016 and 365, data can be accessed via the Web API.
When using the Web API by sending, for example, an HTTP GET request, a request header must be present in the format: { 'Authorization': 'Bearer' + token } where token is an OAuth 2 Bearer Token.
To obtain a token, I'd suggest using the Azure AD authentication Library (ADAL).
To authenticate with Dynamics CRM via ADAL, you'll have to register your web application under Azure Active Directory along with Dynamics CRM. Registering your app will give you a client ID which is required by the OAuth 2.0 authorisation flow. This post is very useful.
If your app will have administrative privilege, then it will have access to other user's data. There are several things you should make sure of when configuring OAuth, check this:
http://phuocle.net/crm/dynamics-365-online-s2s-authentication-full-explain.aspx
so to highlight the most important things from my perspective:
you should have a special user for handling that
this user should not have any license assigned - so you have to sign a license for him, a take it back after done configuring him
user should have a custom role (can be role copied from System Administrator)

Resources