SOLVED

AuthenticationManager.GetAppOnlyAuthenticatedContext Azure App API permissions access denied

%3CLINGO-SUB%20id%3D%22lingo-sub-719279%22%20slang%3D%22en-US%22%3EAuthenticationManager.GetAppOnlyAuthenticatedContext%20Azure%20App%20API%20permissions%20access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719279%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20building%20a%20ClientContext%20based%20on%20an%20App%20ID%20and%20ClientSecret%2C%20you%20get%20an%20access%20denied%26nbsp%3B%20while%20trying%20to%20access%20a%20SharePoint%20site.%20I%20have%20tried%20setting%20several%20API%20permissions%2C%20separately%20for%20SharePoint%20or%20Microsoft%20Graph%2C%20but%20the%20behavior%20stays%20the%20same.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3Evar%20authManager%20%3D%20new%20AuthenticationManager()%3B%3CBR%20%2F%3E%3CBR%20%2F%3Eusing%20(var%20clientContext%20%3D%20authManager.GetAppOnlyAuthenticatedContext(siteUrl%2C%20_sharePointSettings.AppId%2C%20_sharePointSettings.AppSecret))%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BclientContext.Load(clientContext.Web)%3B%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BclientContext.ExecuteQuery()%3B%3CBR%20%2F%3E%7D%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-719279%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPnP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-747558%22%20slang%3D%22en-US%22%3ERe%3A%20AuthenticationManager.GetAppOnlyAuthenticatedContext%20Azure%20App%20API%20permissions%20access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-747558%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9944%22%20target%3D%22_blank%22%3E%40Mathieu%20Marchant%3C%2FA%3E%26nbsp%3BDid%20you%20use%20this%20method%20to%20create%20the%20app%20id%20and%20secret%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fdev%2Fsolution-guidance%2Fsecurity-apponly-azureacs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fdev%2Fsolution-guidance%2Fsecurity-apponly-azureacs%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20so%20what's%20the%20XML%20you%20used%20for%20the%20permissions%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-747612%22%20slang%3D%22en-US%22%3ERe%3A%20AuthenticationManager.GetAppOnlyAuthenticatedContext%20Azure%20App%20API%20permissions%20access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-747612%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F861%22%20target%3D%22_blank%22%3E%40Toby%20Statham%3C%2FA%3E%26nbsp%3BI%20used%20the%20Azure%20Portal%20to%20register%20a%20new%20App%20under%20%22Azure%20Active%20Directory%22%20and%20from%20there%20I%20generated%20a%20new%20secret.%20Additionally%20I%20also%20added%20SharePoint%20related%20%22API%20permissions%22%20from%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20I%20still%20get%20an%20access%20denied.%20So%20what%20I%20need%20to%20do%2C%20is%20lookup%20the%20app%20with%20the%20appinv.aspx%20from%20within%20SharePoint%20and%20add%20additional%20permissions%20from%20there%20with%20the%20xml.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20would%20expect%2C%20is%20that%20setting%20the%20API%20permissions%20from%20the%20Azure%20Portal%20would%20be%20enough%2C%20but%20that%20doesn't%20seem%20to%20be%20the%20case.%20Is%20suppose%20by%20using%20the%20AuthenticationManager%2C%20the%20credentials%20are%20built%20up%20in%20a%20different%20way%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-748291%22%20slang%3D%22en-US%22%3ERe%3A%20AuthenticationManager.GetAppOnlyAuthenticatedContext%20Azure%20App%20API%20permissions%20access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-748291%22%20slang%3D%22en-US%22%3EIf%20you're%20connecting%20to%20the%20SharePoint%20APIs%20using%20the%20Azure%20App%20registration%20you'll%20need%20to%20do%20it%20with%20a%20certificate%20as%20detailed%20here%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fdev%2Fsolution-guidance%2Fsecurity-apponly-azuread%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fdev%2Fsolution-guidance%2Fsecurity-apponly-azuread%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EOtherwise%20use%20the%20method%20in%20my%20other%20post%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-763980%22%20slang%3D%22en-US%22%3ERe%3A%20AuthenticationManager.GetAppOnlyAuthenticatedContext%20Azure%20App%20API%20permissions%20access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-763980%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F861%22%20target%3D%22_blank%22%3E%40Toby%20Statham%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20make%20sure%20you%20granted%20appropriate%20API%20permission%20to%20Azure%20AD%20app%20for%20SharePoint.%20You%20can%20do%20it%20by%20going%20to%20Azure%20AD%20and%20then%20'App%20Registration'%20and%20then%20'API%20Permissions'.%20Under%20Microsoft%20APIs%2C%20select%20SharePoint%20and%20then%20provide%20either%20delegated%20or%20application%20permission%20based%20on%20your%20requirement.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-763983%22%20slang%3D%22en-US%22%3ERe%3A%20AuthenticationManager.GetAppOnlyAuthenticatedContext%20Azure%20App%20API%20permissions%20access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-763983%22%20slang%3D%22en-US%22%3EDoes%20admin%20have%20given%20consent%20to%20your%20app%3F%3F%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20first%20time%20admin%20consent%20is%20required%20to%20use%20app%20created%20from%20azure%20portal%20app%20registration.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-764053%22%20slang%3D%22en-US%22%3ERe%3A%20AuthenticationManager.GetAppOnlyAuthenticatedContext%20Azure%20App%20API%20permissions%20access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-764053%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F18230%22%20target%3D%22_blank%22%3E%40Rahul%20Suryawanshi%3C%2FA%3E%26nbsp%3BThe%20original%20poster%20had%20already%20done%20that%2C%20but%20was%20still%20getting%20an%20error.%20The%20problem%20is%20because%20a%20certificate%20needs%20to%20be%20created%20if%20you're%20accessing%20the%20SharePoint%20API%20using%20an%20Azure%20App%20registration%20(as%20detailed%20in%20the%20links%20I've%20provided%20in%20my%20replies).%20If%20you're%20using%20the%26nbsp%3BGetAppOnlyAuthenticatedContext%20method%20you%20need%20to%20get%20the%20client%20id%20and%20secret%20through%20the%20SharePoint%20App%20registration%20method%20in%26nbsp%3B%3CSPAN%3EAppRegNew.aspx%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-764094%22%20slang%3D%22en-US%22%3ERe%3A%20AuthenticationManager.GetAppOnlyAuthenticatedContext%20Azure%20App%20API%20permissions%20access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-764094%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F861%22%20target%3D%22_blank%22%3E%40Toby%20Statham%3C%2FA%3E.%20Okay%2C%20Yeah%2C%20For%20the%20high%20trust%2C%20Sharepoint%20app%20requires%20certificate-based%20authentication.%20Thanks%20for%20pointing%20out%20to%20me.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

 

When building a ClientContext based on an App ID and ClientSecret, you get an access denied  while trying to access a SharePoint site. I have tried setting several API permissions, separately for SharePoint or Microsoft Graph, but the behavior stays the same.

 

var authManager = new AuthenticationManager();

using (var clientContext = authManager.GetAppOnlyAuthenticatedContext(siteUrl, _sharePointSettings.AppId, _sharePointSettings.AppSecret))
{
     clientContext.Load(clientContext.Web);
     clientContext.ExecuteQuery();
}

 

7 Replies
Highlighted
Highlighted

@Toby Statham I used the Azure Portal to register a new App under "Azure Active Directory" and from there I generated a new secret. Additionally I also added SharePoint related "API permissions" from there.

 

However I still get an access denied. So what I need to do, is lookup the app with the appinv.aspx from within SharePoint and add additional permissions from there with the xml.

 

What I would expect, is that setting the API permissions from the Azure Portal would be enough, but that doesn't seem to be the case. Is suppose by using the AuthenticationManager, the credentials are built up in a different way?

Highlighted
Solution
If you're connecting to the SharePoint APIs using the Azure App registration you'll need to do it with a certificate as detailed here https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

Otherwise use the method in my other post
Highlighted

@Toby Statham 

Please make sure you granted appropriate API permission to Azure AD app for SharePoint. You can do it by going to Azure AD and then 'App Registration' and then 'API Permissions'. Under Microsoft APIs, select SharePoint and then provide either delegated or application permission based on your requirement.

Highlighted
Does admin have given consent to your app??

For first time admin consent is required to use app created from azure portal app registration.
Highlighted

@Rahul Suryawanshi The original poster had already done that, but was still getting an error. The problem is because a certificate needs to be created if you're accessing the SharePoint API using an Azure App registration (as detailed in the links I've provided in my replies). If you're using the GetAppOnlyAuthenticatedContext method you need to get the client id and secret through the SharePoint App registration method in AppRegNew.aspx

Highlighted

@Toby Statham. Okay, Yeah, For the high trust, Sharepoint app requires certificate-based authentication. Thanks for pointing out to me.