SharePoint Guest Users API Access - Unauthorized

%3CLINGO-SUB%20id%3D%22lingo-sub-1217691%22%20slang%3D%22de-DE%22%3ESharePoint%20Guest%20Users%20API%20Access%20-%20Unauthorized%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1217691%22%20slang%3D%22de-DE%22%3E%3CP%3EHello%26nbsp%3B%3C%2FP%3E%3CP%3Ewe've%20build%20an%20Azure%20AD%20App%20that%20uses%20MSAL%20to%20authenticate%20against%20SharePoint.%20The%20auth%20flow%20works%20fine%2C%20till%20we%20try%20to%20access%20SharePoint%20resources%20with%20guest%20users.%20We've%20tried%20several%20solutions%20and%20configurations%20but%20we%20always%20get%20the%20answere%3A%3CSPAN%3E%22Exception%20of%20type%20'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException'%20was%20thrown.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20there%20any%20policy%20that%20does%20not%20allow%20guest%20users%20to%20access%20sharepoint%20through%20the%20sharepoint%20api%3F%20Direct%20access%20to%20sharepoint%20works%20without%20a%20problem.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3CP%3EMichael%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1217691%22%20slang%3D%22de-DE%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%20Apps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGuest%20User%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMSAL%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EUnauthorized%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1219719%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Guest%20Users%20API%20Access%20-%20Unauthorized%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1219719%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3EYou%20cannot%20access%20the%20SharePoint%20API%20with%20the%20guest%20user%20privilege.%20Instead%2C%20you%20can%20try%20giving%20application%20permission%20to%20your%20Azure%20AD%20App%20so%20that%20the%20app%20will%20hold%20the%20permission%20to%20access%20SharePoint%20and%20the%20guest%20users%20will%20be%20able%20to%20access%20the%20app.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1738812%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Guest%20Users%20API%20Access%20-%20Unauthorized%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1738812%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F144422%22%20target%3D%22_blank%22%3E%40Sudharsan%20K%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ECould%20you%20give%20more%20details%20on%20How%20to%20perform%20your%20recommendation%3F%3CBR%20%2F%3EAs%20there%20are%20several%20instances%20of%20the%20same%20concepts%20between%20the%20guest%20and%20host%2C%20your%20recommended%20way%20is%20still%20quite%20obscure%20to%20me.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Visitor

Hello, 

we've build an Azure AD App that uses MSAL to authenticate against SharePoint. The auth flow works fine, till we try to access SharePoint resources with guest users. We've tried several solutions and configurations but we always get the answere:  "Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."

 

Is there any policy that does not allow guest users to access sharepoint through the sharepoint api? Direct access to sharepoint works without a problem.

 

Thanks in advance

Michael

2 Replies
Highlighted
Hi
You cannot access the SharePoint API with the guest user privilege. Instead, you can try giving application permission to your Azure AD App so that the app will hold the permission to access SharePoint and the guest users will be able to access the app.
Highlighted

Hi @Sudharsan K 

Could you give more details on How to perform your recommendation?
As there are several instances of the same concepts between the guest and host, your recommended way is still quite obscure to me.