First published on TECHNET on Feb 06, 2018
This post is a contribution from Mustaq Patel, an engineer with the SharePoint Developer Support team
If we want to do a quick check if the AAD app is working against SharePoint Online using Graph API, we can use postman to set this up quickly. This blog post will demonstrate how to use Graph API with grantType = Authorization code. The blog post will also show how to use version 2.0 OAuth2 endpoint URLs.
For using REST API with POSTMan, please follow the below steps. It also shows how to use Client Credentials grant type.
Using OAuth 2.0 AAD App to retrieve data from SPO site using Graph
Register your AAD app using apps.dev.microsoft.com or by directly browsing Azure Active Directory that is associated with SharePoint Online Tenant. My registration looks like below using https://apps.dev.microsoft.com
The permission you request will differ as per what you are retrieving from SPO. For now I am giving Sites.Read.All which will give read permission to the app on all sharepoint sites.
Using OAuth 2.0 version 2 endpoints to retrieve data from SPO site using Graph
For using oauth2 version 2.0 endpoint urls and use graph, the steps are exactly same as above, except the step where we get AccessToken, we have to use Scope and AuthUrl, TokenUrl will change.
Also, please note that 2.0 endpoint urls only support graph APIs and that means for SharePoint it is very limited.
Using same above appregistration, here is my request to get AccessToken using oauth2 version 2.0 urls
Callback Url - this should be the redirect Url we copied from app registration
Auth Url – this should be https://login.windows.net/common/oauth2/v2.0/authorize
Access Token Url – this should be https://login.microsoftonline.com/common/oauth2/v2.0/token
Scope – List of scopes / permissions example https://graph.microsoft.com/files.read.all sites.read.all
Main difference between v2.0 urls and older once are below
V1 = https://login.windows.net/common/oauth2/authorize?resource=https%3A%2F%2Fgraph.microsoft.com
V1 = https://login.microsoftonline.com/common/oauth2/token
V2 = https://login.microsoftonline.com/common/oauth2/v2.0/token
V1 = not needed
V2 = https://graph.microsoft.com/files.read.all sites.read.all (multiple permissions separated by spaces. We can only have 1 scope which is https://graph.microsoft.com)
Note - Getting access token for calling SharePoint APIs will use the same mechanism. The resource will change to "https://<tenant>.sharepoint.com". The app needs to be registered on https://portal.azure.com and should have permissions on the O365 SharePoint Online.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.