SharePoint REST API - Get StorageQuotas from tenant admin site using managed identity

Brass Contributor

Hi everybody,


I would like to automate the process of sending alerts when the SharePoint tenant storage quota reaches certain level of thresholds.


I have found that I can perform a GET call on the following endpoint https://<mytenantname> to obtain information such as 'TenantStorageMB', 'GeoUsedStorageMB' and 'GeoAvailableStorageMB'.


I can use Logic Apps and perform the action 'Send an HTTP request to SharePoint' (built-in SharePoint Online connector) to obtain the information by connecting it with a SharePoint Administrator user account. However, I would like to use a managed identity instead for improved security. Hence, I have followed these steps:

  • enabled a system assigned managed identity on the Logic App
  • created a Key Vault in Azure
  • generated a certificate from within the Key Vault
  • created a new app registration in Entra ID
  • downloaded the certificate from the Key Vault (CER) and uploaded the certificate to the app registration
  • assigned application permissions (for testing purposes SharePoint Sites.FullControl.All), even tried to assign permissions to the Enterprise Application
  • allowed the Logic app to retrieve the certificate from the Key Vault

When I try to perform the same query, I get the following error message:

  "error": {
    "code""-2147024891, System.UnauthorizedAccessException",
    "message": {
      "value""Attempted to perform an unauthorized operation."
This is how I have configured the HTTP action, it always works, except for the query on this tenant admin site:


I would like to know how I could authorize the managed identity to perform the query on the SharePoint tenant admin site using the least privileged method. What am I doing wrong here?
Thanks for all help provided in advance!
6 Replies
So the issue is you have not done the correct permission registration, you need to use the Add-in method for rest api:

Thank you for your reply @NicolasKheirallah, helping me out.


I have been struggling for several hours to make this work now. On a demo tenant I have been able to make this work just fine and let Postman retrieve the list items of a list on a site collection, just for testing. Making use of the following article, also elaborating on SharePoint App-only permissions:


However, I am not able to retrieve the StorageQuotas from the tenant admin site using the Bearer access token. When I do so, I get the following error message: "{"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}"

Articles I found on the web seem to point to inappropriate set scope or incorrect permissions
I have followed the steps in your article to generate a new application, and for this test I had used the following permissions: <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />.


In Postman I have retrieved an access token as described here: and performed the request with in the Headers a key named 'Authorization' and for value 'Bearer <access token>'.

Did you register the app under -Admin ?
Yes that is correct Nicolas. Unfortunately it didn't seem to help so far...

Am having a similar issue, the error I get is

{"error_description":"ID3035: The request was not valid or is malformed."}

for the API

Hi Lily,
In the meantime I managed to fix this myself. Do you have the SharePoint Administrator role assigned to the account you use to authenticate?
More info: