Forum Discussion
Authentication issues
Peter,
One approach would be to request Delegated permissions for Graph SharePoint API calls and App Only permissions for Graph Security API calls. Your application would essentially be acting as a service when it retrieves security alerts, and using the user account your created when writing those alerts to the SharePoint list.
Without knowing how your application is invoked I don't know if this option is feasible for you. It doesn't sound like the app is an interactive app since you've created a user which sounds like it's acting like a service account and reading and writing alerts. App Only seems like a viable option. Just make sure if the application is interactive, that it doesn't let regular users view security alerts when they otherwise wouldn't be able to.
Getting the following error - Failed to load resource: the server responded with a status of 403 (Forbidden) while accessing graph api. When I tried using postman with bearer token - getting this error message - Either scp or roles claim need to be present in the token.
Used the below portal for App registration (Client ID + Secret)
https://apps.dev.microsoft.com
Sajith, you need to ensure the application has been granted the required permissions by the tenant admin and if using delegated permissions you need to ensure the user has the right role in AAD which is either Global Admin, or one of the Limited Administrator roles of Security Reader and/or Security Writer.
- Hi Jason, this totally helped me!
Quick question: my goal is to let an external (PHP based) website add/modify SharePoint Online List items. It works now, but I'm concerned about assigning the directory role.
Scenario:
I've created a new user to AAD that only has read/write permissions to the desired SharePoint List. Then, I've registered a new App in the App Registration Portal under this user, with DELEGATED permissions on Sites.ReadWrite.All. Since the user associated with this app only has R/W permissions on this one SharePoint List - we're safe.
But without assigning the mentioned AAD role, we keep getting the "Either scp or roles claim need to be present in the token" AccessDenied message. When we assign the Security Reader role, everything works fine.
But now I get the feeling that this particular app has way more permissions than it actually needs.
Any thoughts?
Thanks in advance!We are trying to create a form in a public website that will allow people to sign-up for an email list. We want this form to write to a SharePoint list. This sounds similar to what you are doing with your PHP application.
Can you provide any more details about your app and how it is writing into a SharePoint list?
Peter,
One approach would be to request Delegated permissions for Graph SharePoint API calls and App Only permissions for Graph Security API calls. Your application would essentially be acting as a service when it retrieves security alerts, and using the user account your created when writing those alerts to the SharePoint list.
Without knowing how your application is invoked I don't know if this option is feasible for you. It doesn't sound like the app is an interactive app since you've created a user which sounds like it's acting like a service account and reading and writing alerts. App Only seems like a viable option. Just make sure if the application is interactive, that it doesn't let regular users view security alerts when they otherwise wouldn't be able to.
