cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SharePoint REST API - Get StorageQuotas from tenant admin site using managed identity

Joost van der Linden
Brass Contributor

‎Oct 11 2023 03:02 AM

‎Oct 11 2023 03:02 AM

SharePoint REST API - Get StorageQuotas from tenant admin site using managed identity

Hi everybody,

 

I would like to automate the process of sending alerts when the SharePoint tenant storage quota reaches certain level of thresholds.

 

I have found that I can perform a GET call on the following endpoint https://<mytenantname>-admin.sharepoint.com/_api/StorageQuotas()?api-version=1.3.2 to obtain information such as 'TenantStorageMB', 'GeoUsedStorageMB' and 'GeoAvailableStorageMB'.

 

I can use Logic Apps and perform the action 'Send an HTTP request to SharePoint' (built-in SharePoint Online connector) to obtain the information by connecting it with a SharePoint Administrator user account. However, I would like to use a managed identity instead for improved security. Hence, I have followed these steps:

  • enabled a system assigned managed identity on the Logic App
  • created a Key Vault in Azure
  • generated a certificate from within the Key Vault
  • created a new app registration in Entra ID
  • downloaded the certificate from the Key Vault (CER) and uploaded the certificate to the app registration
  • assigned application permissions (for testing purposes SharePoint Sites.FullControl.All), even tried to assign permissions to the Enterprise Application
  • allowed the Logic app to retrieve the certificate from the Key Vault

When I try to perform the same query, I get the following error message:

{
  "error": {
    "code""-2147024891, System.UnauthorizedAccessException",
    "message": {
      "lang""en-US",
      "value""Attempted to perform an unauthorized operation."
    }
  }
}
 
This is how I have configured the HTTP action, it always works, except for the query on this tenant admin site:
JoostvanderLinden_0-1697018456074.png

 

 
I would like to know how I could authorize the managed identity to perform the query on the SharePoint tenant admin site using the least privileged method. What am I doing wrong here?
 
Thanks for all help provided in advance!
 
Labels:
1,951 Views
0 Likes
6 Replies
Reply
6 Replies
NicolasKheirallah

‎Oct 11 2023 12:57 PM

‎Oct 11 2023 12:57 PM

Re: SharePoint REST API - Get StorageQuotas from tenant admin site using managed identity

So the issue is you have not done the correct permission registration, you need to use the Add-in method for rest api:

https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
1 Like
Reply
Joost van der Linden

‎Oct 12 2023 05:03 AM

‎Oct 12 2023 05:03 AM

Re: SharePoint REST API - Get StorageQuotas from tenant admin site using managed identity

Thank you for your reply @NicolasKheirallah, helping me out.

 

I have been struggling for several hours to make this work now. On a demo tenant I have been able to make this work just fine and let Postman retrieve the list items of a list on a site collection, just for testing. Making use of the following article, also elaborating on SharePoint App-only permissions: https://global-sharepoint.com/sharepoint-online/in-4-steps-access-sharepoint-online-data-using-postm...

 

However, I am not able to retrieve the StorageQuotas from the tenant admin site using the Bearer access token. When I do so, I get the following error message: "{"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}"

Articles I found on the web seem to point to inappropriate set scope or incorrect permissions
I have followed the steps in your article to generate a new application, and for this test I had used the following permissions: <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />.

 

In Postman I have retrieved an access token as described here: https://global-sharepoint.com/sharepoint-online/in-4-steps-access-sharepoint-online-data-using-postm... and performed the request with in the Headers a key named 'Authorization' and for value 'Bearer <access token>'.

0 Likes
Reply
NicolasKheirallah

‎Oct 13 2023 11:44 AM

‎Oct 13 2023 11:44 AM

Re: SharePoint REST API - Get StorageQuotas from tenant admin site using managed identity

Did you register the app under -Admin ?
0 Likes
Reply
Joost van der Linden

‎Oct 19 2023 08:18 AM

‎Oct 19 2023 08:18 AM

Re: SharePoint REST API - Get StorageQuotas from tenant admin site using managed identity

Yes that is correct Nicolas. Unfortunately it didn't seem to help so far...
0 Likes
Reply
LilyNMS

‎Mar 24 2024 09:15 AM

‎Mar 24 2024 09:15 AM

Re: SharePoint REST API - Get StorageQuotas from tenant admin site using managed identity

Am having a similar issue, the error I get is

{"error_description":"ID3035: The request was not valid or is malformed."}

for the API

 

https://tenant-admin.sharepoint.com/_api/StorageQuotas()?api-version=1.3.2

0 Likes
Reply
Joost van der Linden

‎Mar 25 2024 07:07 AM

‎Mar 25 2024 07:07 AM

Re: SharePoint REST API - Get StorageQuotas from tenant admin site using managed identity

Hi Lily,
In the meantime I managed to fix this myself. Do you have the SharePoint Administrator role assigned to the account you use to authenticate?
More info: https://sharepointnomad.wordpress.com/2020/06/29/office-365-storage-utilization-alerts-with-a-power-...
0 Likes
Reply