Azure Active Directory Permissions Issue: 403 Exception

Asim Bashir Bhatti
Frequent Visitor

I have a added a Native app in Azure Active directory. I have granted all the required SharePoint permissions (to my knowledge) but when I try to hit following SharePoint REST API, it returns 403 exception




I'm trying to get SharePoint Online SPOIDCRL cookie using bearer token. Below is my code snippet:

import android.content.Intent;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.util.Log;

import com.microsoft.aad.adal.AuthenticationCallback;
import com.microsoft.aad.adal.AuthenticationContext;
import com.microsoft.aad.adal.AuthenticationResult;
import com.microsoft.aad.adal.PromptBehavior;

import com.squareup.okhttp.MediaType;
import com.squareup.okhttp.OkHttpClient;
import com.squareup.okhttp.Request;
import com.squareup.okhttp.RequestBody;
import com.squareup.okhttp.Response;
import com.squareup.okhttp.Headers;

import java.net.URL;
import java.net.HttpURLConnection;
import java.util.Locale;

public class MainActivity extends AppCompatActivity {

    private static final String CLIENT_ID = "{my_client_id}";
    private static final String REDIRECT_URI = "{my_redirect_uri}";
    private static final String GRAPH_RESOURCE = "https://graph.microsoft.com";
    private static final String SHAREPOINT_ONLINE_RESOURCE = "mytenant.sharepoint.com";
    private static final String AUTHORITY = "https://login.microsoftonline.com/mytenant.onmicrosoft.com";
    private static final String LOG_TAG = "AUTH";
    private static String accessToken;
    private static String userId;

    private AuthenticationContext authenticationContext;

    protected void onCreate(Bundle savedInstanceState) {

        try {
            // Create the authentication context.
            authenticationContext = new AuthenticationContext(MainActivity.this,
                    AUTHORITY, true);

            // Acquire tokens using necessary UI.
            authenticationContext.acquireToken(MainActivity.this, GRAPH_RESOURCE, CLIENT_ID, REDIRECT_URI,
                    PromptBehavior.Always, new AuthenticationCallback<AuthenticationResult>() {
                        public void onSuccess(AuthenticationResult result) {
                            String idToken = result.getIdToken();
                            accessToken = result.getAccessToken();
                            userId = result.getUserInfo().getUserId();

                            // Print tokens.
                            Log.d(LOG_TAG, "ID Token: " + idToken);
                            Log.d(LOG_TAG, "Access Token: " + accessToken);

                            String spToken = getEndPointToken(SHAREPOINT_ONLINE_RESOURCE);

                        public void onError(Exception exc) {
                            // TODO: Handle error

        } catch (Exception e) {

    protected void onActivityResult(int requestCode, int resultCode, Intent data) {
        super.onActivityResult(requestCode, resultCode, data);

        // Pass the activity result to the authentication context.
        if (authenticationContext != null) {
            authenticationContext.onActivityResult(requestCode, resultCode, data);

    protected void getCookies(String token) {
        try {
            HttpURLConnection connection = (HttpURLConnection) new URL("https", "mytenant.sharepoint.com", "_api/SP.OAuth.NativeClient/Authenticate").openConnection();
            try {
                connection.setRequestProperty(Broker.CHALLENGE_RESPONSE_HEADER, String.format(Locale.ROOT, "Bearer %s", new Object[]{token}));

                String headerField = connection.getHeaderField("Set-Cookie");
                Log.d("COOKIE", headerField);

            } finally {
        } catch (Exception e) {


    protected String getEndPointToken (String resourceUri) {
        String token = "";
        try {
            authenticationContext.acquireTokenSilentAsync(resourceUri, CLIENT_ID, userId, new AuthenticationCallback<AuthenticationResult>() {
                public void onSuccess(AuthenticationResult result) {
                    String spAccessToken = result.getAccessToken();

                    Log.d("SP-AUTH", "Sharepoint Token");
                    Log.d("SP-AUTH", spAccessToken);

                public void onError(Exception exc) {
                    // TODO: Handle error
        } catch (Exception e) {

        return token;

<?xml version="1.0" encoding="utf-8"?><m:error xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata"><m:code>-1, Microsoft.SharePoint.Client.ClientServiceException</m:code><m:message xml:lang="en-US">Exception of type 'Microsoft.SharePoint.Client.ClientServiceException' was thrown.</m:message></m:error>

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Dev channel update to 80.0.355.1 is live
josh_bodner in Discussions on
67 Replies