1

I have an Azure AD app registered and my web app requires using both graph-api and REST API to fetch sharepoint account information.

For eg:

https://domain.sharepoint.com/_api/Web/RoleAssignments

Problem is the access token i fetch for graph isnt valid for REST. I basically want to avoid having to register my app on the:

https://domain-admin.sharepoint.com/_layouts/15/appinv.aspx

Which asks for an xml block to be added to allow Full Access.

Desired: Single AD app to be used for both graph-api and rest api implementation. Separate tokens are fine.

Improve this question
3
  • How are you generating the access token? Are you making use of Client credential flow or user interactive flow? Commented Jun 20, 2024 at 6:59
  • It is by default required to to give full access in xml block to fetch the details Commented Jun 20, 2024 at 7:46
  • Using client credential flow from this url accounts.accesscontrol.windows.net/%s/tokens/OAuth/2 Commented Jun 20, 2024 at 18:55

1 Answer 1

Reset to default
0

Note that: If you are making use of Client credential flow and granting application permissions to the Microsoft Entra ID application, it is mandatory and by default you must grant permissions in the Add-in to allow Full Access to the application.

If you want to avoid registering app in the Add-In and giving full access, then you can grant delegated API permissions and make use of delegated flow as a workaround:

Grant delegated API permission to the Microsoft Entra ID application:

enter image description here

Use the below endpoint to authorize users:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://Domain.sharepoint.com/.default
&state=12345

enter image description here

Generate access token by using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

grant_type:authorization_code
client_id:ClientID
client_secret:ClientSecret
scope:https://Domain.sharepoint.com/.default
code:code
redirect_uri:https://jwt.ms

enter image description here

By using the above access token, you can call the SharePoint Rest API:

https://domain.sharepoint.com/_api/Web/RoleAssignments

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.