I'm working on accessing personal documents of users using the API provided by Microsoft Graph, but I am having issue with authentication.
According to this documentation I can simply create an application, set the right scopes (etc.) and then aquire an access token for a given user - this is working perfectly right now.
Querying URLs like https://graph.microsoft.com/v1.0/me/drives works - I get a https://onedrive.live.com drive as a result.
What the API doesn't return is data about a second drive on https://{tenant}-my.sharepoint.com. I have tried accessing this data using the API Endpoint: https://{tenant}-my.sharepoint.com/_api/v2.0 using the Microsoft Graph authentication token. This returns the following error:
{
"error_description": "Unsupported security token."
}
How do I access the API of such an Office 365 OneDrive?
The sharepoint.com/_api/v2.0 API is not a Microsoft Graph API and it doesn't support Converged Auth tokens from the v2 Endpoint.
Accessing SharePoint Drives uses the same API as OneDrive and OneDrive for business:
/v1.0/sites/{siteId}/drives
For example, if you had a team site named "AwesomeTeam" you retrieve a list of drives for that site using:
/v1.0/sites/root/:/teams/AwesomeTeam:/drives
Related
Is there a way to use the Bearer token provided by a SharePoint App-Only¹ registration, to get access for Microsoft Graph features² like Drive list, Excel Create TableRow³, etc?
I was able to get a token using the example "Using this principal in your application without using the PnP Sites Core library", but when I tried to list sites, for example I got not authorized exception
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
https://learn.microsoft.com/pt-br/graph/overview?view=graph-rest-1.0
https://learn.microsoft.com/en-us/graph/api/table-post-rows?view=graph-rest-1.0&tabs=http
Token for SharePoint App-Only and token for Microsoft Graph cannot be used vice versa.
Apps registered in for SharePoint App-Only and Microsoft Graph have different client id, etc.
Also permissions scopes are totally different.
My requirement is described below.
User uploads the document through web-app and document saves in to shared location.
Application service (cron job or server code) , selects the documents and extracts the details.
Cron job send the details to SharePoint rest api which is protected by azure AD. (Oauth protocol)
I have a valid AZURE client ID and Secret ID which has application level access permission. I got access token by using AZURE client ID and Secret ID from AZURE AD with help of simple JAVA code but am getting following error when i call sharepoint online REST service using Oauth access token.
Error : {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}
What does it mean? Can anyone help me resolve the issue ?
As SharePoint Online has strict safety standards, authentication for working with REST API consists of three steps:
1.Get the security token from Microsoft authentication portal.
2.Get the cookies from the SharePoint Online server.
3.Get the signature for requests to the SharePoint Online server.
More information is here:
http://www.wave-access.com/public_en/blog/2015/june/23/java-service-integration-with-sharepoint-online-via-rest-api.aspx
Access Office 365 from JAVA, we can use Office 365 SDKs for Java.
https://github.com/OfficeDev/Office-365-SDK-for-Java
Are access tokens returned from Microsoft's v2 authentication endpoint valid for accessing the Excel REST API?
I receive an access token when going through the OAuth flow, and can access OneDrive endpoints such as:
GET https://graph.microsoft.com/v1.0/me/drive
But if I try to access an Excel endpoint such as:
GET https://graph.microsoft.com/v1.0/me/drive/items/{id}/workbook/
... I get 404 ResourceNotFound error
Note that I've registered for my Client ID via the Microsoft app registration portal
The v2.0 endpoint could works well for this API when I test with the work account. And I also reproduced this issue when I use the personal account.
For OAuth 2.0 flow for OneDrive for Business, should one use:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
As well as passing along a scope?
According to this MS blog post, onedrive, onedrive for business, etc should be able to use this new V2 OAuth 2.0 flow:
https://blogs.msdn.microsoft.com/richard_dizeregas_blog/2015/09/04/working-with-the-converged-azure-ad-v2-app-model/
Or, should it be:
https://login.microsoftonline.com/common/oauth2/authorize
And have permissions set up in AAD for the application?
When using the former (v2 OAuth), I keep getting errors saying my scopes are invalid: AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope offline_access onedrive.readwrite is not valid.
When using the latter I keep getting the following error:
unauthorized_client
AADSTS70001: Application 'xxxx' is not supported for this API version. Trace ID: d5d359ad-2e6b-468d-9a95-df51656e9cc9
I have OneDrive working for user accounts using the live APIs, but since they are deprecated and it looks like the user and business OneDrive accounts should use the newer APIs, this is getting confusing.
Thanks for any assistance.
To access the direct OneDrive for Business end point (instead of using Graph API) you need to follow the steps to Register an app for OneDrive for Business. This requires an Azure subscription (even though its free) and using the Azure Portal to define the permissions the application will require. After going through this provisioning, you use the second authorize end point (without v2 in the URL).
It sounds like you registered an app using the new app registration portal (apps.dev.microsoft.com) which is only compatible with the v2 OAuth end point, which only works with Microsoft Graph.
You can sidestep the Azure stuff by creating a new application ID from the Office 365 Getting Started page, however will need an Azure subscription if you need to make changes to the app later.
Also, we're working on fixing the 4MB upload limit with Graph API, although I don't have an ETA for when that will be resolved.
I'm trying to use Microsoft Graph API or Outlook REST API to create events in user calendar throught ajax / rest calls.
But i don't know where i have to call the key generated by Azure when i registered my application in Azure Active Directory... And i don't know if i need to pass Client ID too.
I gave the following permissions to Microsoft Graph in Azure:
I don't know if these permissions are enough for what i want to do.
Thanks in advance.
You could find permission details from Permission scopes | Graph API concepts, also you can refer to Office 365 Node.js Connect sample using Microsoft Graph and Microsoft Graph service app sample using Node.js from GitHub for more help.