Forum Discussion
SharePoint REST API - Get StorageQuotas from tenant admin site using managed identity
Hi everybody,
I would like to automate the process of sending alerts when the SharePoint tenant storage quota reaches certain level of thresholds.
I have found that I can perform a GET call on the following endpoint https://<mytenantname>-admin.sharepoint.com/_api/StorageQuotas()?api-version=1.3.2 to obtain information such as 'TenantStorageMB', 'GeoUsedStorageMB' and 'GeoAvailableStorageMB'.
I can use Logic Apps and perform the action 'Send an HTTP request to SharePoint' (built-in SharePoint Online connector) to obtain the information by connecting it with a SharePoint Administrator user account. However, I would like to use a managed identity instead for improved security. Hence, I have followed these steps:
- enabled a system assigned managed identity on the Logic App
- created a Key Vault in Azure
- generated a certificate from within the Key Vault
- created a new app registration in Entra ID
- downloaded the certificate from the Key Vault (CER) and uploaded the certificate to the app registration
- assigned application permissions (for testing purposes SharePoint Sites.FullControl.All), even tried to assign permissions to the Enterprise Application
- allowed the Logic app to retrieve the certificate from the Key Vault
When I try to perform the same query, I get the following error message:
- So the issue is you have not done the correct permission registration, you need to use the Add-in method for rest api:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs- JoostvdLindenBrass Contributor
Thank you for your reply NicolasKheirallah, helping me out.
I have been struggling for several hours to make this work now. On a demo tenant I have been able to make this work just fine and let Postman retrieve the list items of a list on a site collection, just for testing. Making use of the following article, also elaborating on SharePoint App-only permissions: https://global-sharepoint.com/sharepoint-online/in-4-steps-access-sharepoint-online-data-using-postman-tool/?expand_article=1
However, I am not able to retrieve the StorageQuotas from the tenant admin site using the Bearer access token. When I do so, I get the following error message: "{"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}"
Articles I found on the web seem to point to inappropriate set scope or incorrect permissions
I have followed the steps in your article to generate a new application, and for this test I had used the following permissions: <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />.In Postman I have retrieved an access token as described here: https://global-sharepoint.com/sharepoint-online/in-4-steps-access-sharepoint-online-data-using-postman-tool/?expand_article=1 and performed the request with in the Headers a key named 'Authorization' and for value 'Bearer <access token>'.
- Did you register the app under -Admin ?
- LilyNMSCopper Contributor
Am having a similar issue, the error I get is
{"error_description":"ID3035: The request was not valid or is malformed."}
for the API
https://tenant-admin.sharepoint.com/_api/StorageQuotas()?api-version=1.3.2
- JoostvdLindenBrass ContributorHi Lily,
In the meantime I managed to fix this myself. Do you have the SharePoint Administrator role assigned to the account you use to authenticate?
More info: https://sharepointnomad.wordpress.com/2020/06/29/office-365-storage-utilization-alerts-with-a-power-automate-workflow/