Access Denied when making Project Online API call

%3CLINGO-SUB%20id%3D%22lingo-sub-2088098%22%20slang%3D%22en-US%22%3EAccess%20Denied%20when%20making%20Project%20Online%20API%20call%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2088098%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20able%20to%20get%20a%20access%20token.%20But%20when%20I%20try%20to%20make%20an%20Project%20Online%20API%20call%20using%20that%20token%2C%20I%20get%20%22Access%20denied%20you%20do%20not%20have%20permission%20to%20perform%20this%20action%20or%20access%20this%20resource%22.%20Kindly%20let%20me%20know%20if%20I'm%20doing%20something%20wrong%20or%20missing%20anything%20or%20correct%20way%20to%20do%20it.%20Here%20are%20the%20details%20that%20I'm%20using%20for%20authentication%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3E%3CP%3EClient%20ID%20%3D%20%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3ETenant%20ID%20%3D%20%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EClient%20Secret%20%3D%20%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EScope%20%3D%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2F.default%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2F.default%3C%2FA%3E%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EGrant%20type%20%3D%20client_credentials%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3ELogin%20URl%20%3D%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2F%257Btenant_name%257D%2Foauth2%2Fv2.0%2Ftoken%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F%7Btenant_name%7D%2Foauth2%2Fv2.0%2Ftoken%3C%2FA%3E%3C%2FP%3E%3C%2FLI%3E%3CLI%3EAPI%20Permission%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%2258503-image.png%22%20style%3D%22width%3A%20855px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F248586iA5C7E049BD2275CB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%2258503-image.png%22%20alt%3D%2258503-image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20using%20project%20server%20endpoint.%20Here%20are%20the%20details%3A%3C%2FP%3E%3CP%3EEndpoint%20URL%3D%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fexample.sharepoint.com%2Fsites%2FPWA%2F_api%2FProjectServer%2FProjects%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fexample.sharepoint.com%2Fsites%2FPWA%2F_api%2FProjectServer%2FProjects%3C%2FA%3E%3CBR%20%2F%3EMethod%3D%20POST%3CBR%20%2F%3EParameters%3D%20Authorization%3A%20Bearer%20%7BAccess_Token%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAm%20I%20missing%20anything%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20%26amp%3B%20Regards%2C%3CBR%20%2F%3ERohan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2088098%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPI%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOnline%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EProject%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EProject%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2089831%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Denied%20when%20making%20Project%20Online%20API%20call%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2089831%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F939454%22%20target%3D%22_blank%22%3E%40rohanw24%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3EThe%20Azure%20AD%20permissions%20don't%20grant%20access%20to%20Project%20Online.%20Typically%20access%20to%20Project%20Online%20can%20be%20via%3A%3C%2FP%3E%0A%3CP%3ESharePoint%20Azure%20ACS%20using%20the%20SharePoint%20client%20ID%20and%20secret%20but%20for%20some%20Project%20Online%20APIs%2C%20you%20will%20need%20to%20provide%20a%20username%20and%20password%20as%20part%20of%20the%20auth.%20You%20could%20use%20the%20SharePointOnlineCredentials%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%26nbsp%3Bclass%20to%20help%20auth.%20These%20code%20samples%20might%20help%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOfficeDev%2FProject-Samples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FOfficeDev%2FProject-Samples%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EHere%20is%20a%20Stack%20overflow%20post%20with%20a%20similar%20query%20-%20they%20went%20with%20the%20SP%20credentials%20class%20too%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fquestions%2F42521163%2Fhow-to-get-an-acs-app-only-access-token-for-project-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fstackoverflow.com%2Fquestions%2F42521163%2Fhow-to-get-an-acs-app-only-access-token-for-project-online%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EHope%20that%20helps%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EPaul%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2091130%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20Denied%20when%20making%20Project%20Online%20API%20call%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2091130%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8793%22%20target%3D%22_blank%22%3E%40Paul%20Mather%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank-you%20for%20your%20reply.%20I'm%20now%20able%20to%20get%20Fed%20Auth%20ticket%20and%20Digest%20Value.%20Now%20I%20want%20to%20make%20an%20ReST%20API%20request%20to%20the%20project%20server%20endpoint.%26nbsp%3BFor%20example%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fexample.sharepoint.com%2Fsites%2FPWA%2F_api%2FProjectServer%2FProjects%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fexample.sharepoint.com%2Fsites%2FPWA%2F_api%2FProjectServer%2FProjects%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20data%2Fparameter%20I%20must%20include%20in%20the%20request%20body%20to%20ensure%20that%20I%20receive%20a%20valid%20response%20and%20not%20Access%20Denied%20error%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20%26amp%3B%20Regards%2C%3C%2FP%3E%3CP%3ERohan%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi All,

 

I'm able to get a access token. But when I try to make an Project Online API call using that token, I get "Access denied you do not have permission to perform this action or access this resource". Kindly let me know if I'm doing something wrong or missing anything or correct way to do it. Here are the details that I'm using for authentication:

 

  1. Client ID = ########################

  2. Tenant ID = #######################

  3. Client Secret = #####################

  4. Scope = https://graph.microsoft.com/.default

  5. Grant type = client_credentials

  6. Login URl = https://login.microsoftonline.com/{tenant_name}/oauth2/v2.0/token

  7. API Permission

58503-image.png

 

I'm using project server endpoint. Here are the details:

Endpoint URL= https://example.sharepoint.com/sites/PWA/_api/ProjectServer/Projects
Method= POST
Parameters= Authorization: Bearer {Access_Token}

 

Am I missing anything?

 

Thanks & Regards,
Rohan

3 Replies

Hello @rohanw24 ,

The Azure AD permissions don't grant access to Project Online. Typically access to Project Online can be via:

SharePoint Azure ACS using the SharePoint client ID and secret but for some Project Online APIs, you will need to provide a username and password as part of the auth. You could use the SharePointOnlineCredentials class to help auth. These code samples might help: https://github.com/OfficeDev/Project-Samples 

Here is a Stack overflow post with a similar query - they went with the SP credentials class too: https://stackoverflow.com/questions/42521163/how-to-get-an-acs-app-only-access-token-for-project-onl...

Hope that helps

Paul

Hi @Paul Mather,

 

Thank-you for your reply. After using ReST.ps1 file for authentication, I'm now able to get Fed Auth ticket, Cookie, and Digest Value. Now I want to make an ReST API request to the project server endpoint through cURL. For example,

 

https://example.sharepoint.com/sites/PWA/_api/ProjectServer/Projects

 

What data/parameter I must include in the request header to ensure that I receive a valid response without Access Denied error?

 

Thanks & Regards,

Rohan

Hi @Paul Mather,
due to you words "...but for some Project Online APIs, you will need to provide a username and password...", do you suggest to use a service account to call the Project's Rest APIs?
I'm trying to access to Project Online Rest APIs with a SharePoint App-Only registration  (link to details )but I received different errors, and I'm start thinking that Project's API cannot be called via clientId and clientSecret/certificate.

Thanks.