get valid auth token from MSAL for SP Online?

Copper Contributor

I'm in the middle of writing a .Net client app and have been using the latest Graph SDK to access OneDrive.  To authenticate, I used MSAL and with the appropriate "scopes", this gets me an OAuth token that works great for OneDrive access.

 

Unfortunately, the Graph API (REST and SDK) are far from complete at this time.  I need to supplement my Graph calls with some more traditional ECM where OneDrive for Business and straight SP Online Libraries are concerned (calls like checkout/checkin/locking and related properties like who a file is checked-out to, etc.)  To do this, I thought I'd leverage "SharePoint CSOM for Online" until Graph "catches up". 

 

However, the access token received via MSAL is refused by the ClientContext of the user's site/list.  It always results in a 401: Unauthorized being returned from the service.

 

Does anyone have a code snippet or tips/tricks to use MSAL to get a valid access token for the user's same SP Library - just connecting directly to the SP Online services?  I could be missing explicit "scopes" to request in the MSAL authentication too.  I am getting the feeling that MSAL is not compatible with SP Online, and that would be really unfortunate.

 

Thanks for any pointers!

6 Replies

Hope, the below post will help..

https://samlman.wordpress.com/2015/02/27/using-adal-access-tokens-with-o365-rest-apis-and-csom/

 

BTW : I have not personally tested the content listed in above post

I have seen that post before. In fact, I spent quite some time searching and reading before posting here...

That post uses ADAL assembly/library. From what I have read, it is the first gen support of AD authentication developed by MSFT. While it is still being worked-on, and probably worked _with_ by many projects, we have started with MSAL, which appears to be the eventual replacement for ADAL. (Thought was, if we're starting work "today", we should use MSFT's latest library and follow its direction.)

MSAL works great to get OAuth tokens for Graph - we have that working. We can't seem to get MSAL's AD tokens to work with SP Online. Integrating another auth library (especially one with very similar classes and methods) would be a nuisance and cause confusion and reduce maintainability. Thus, I'm trying to figure out how to get MSAL to do the same.

Thank you for your reply.

@AJWeber This is a really big issue for me right now as well... Building business apps with Graph works great until you run into some incomplete functionality.  For example creating a SharePoint site, or retrieving a SharePoint user id so that you can update a multiuser list field.

 

Is there active development under the beta graph? v1.0 after a couple years does not look like a good sign.

 

If anyone out there has already solved the issue of integrating CSOM or direct REST calls to SharePoint in a Microsoft.Graph MSAL application that would be a big help!

 

I would stick with CSOM accept that there is no good way to respect Multi-factor logins.... We really need graph to be completed to unify authentication across the API families.

 

@Ed Alexander , @AJWeber  @Kevin Morgan 

Did you find any solution for getting Access Token using MSAL.NET?

I am also stuck with this issue?

 

If someone can help with this it would be great.

I have also asked a question on MSAL.NET Repos as well.

Link is here : https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/1439

 

@ArvindKumar Mepani

 

Hi, I was stuck like you and then I figured out that it works with the client credentials flow (certificate, not client / secret). Here my proposed answer : https://stackoverflow.com/questions/54771270/msal-ad-token-not-valid-with-sharepoint-online-csom/600...

 

Please let me know.

@AJWeberI've spent pretty much a time to figure this out, so hope it could be useful for anyone.

For me it finally worked with exactly the same request via MSAL but correct scope for SharePoint.
So, if you're calling to token to use MS Graph API, you should specify scope as "https://graph.microsoft.com/.default", and if you want to get token for SP API, you should pass scope as "https://{your tenant name}.sharepoint.com/.default".
".default" will provide you the access with all permissions which was assigned in Azure AD - so also make sure, that Azure admin has granted you required API permissions for SharePoint API

KseniiaPuhovkina_0-1671806180232.png