3

I've went through the following steps:

  1. Created an Azure AD application + client secret
  2. Granted SharePoint Sites.Selected permissions at Appplication level
  3. Given admin consent
  4. Granted FullControl to the app by using Grant-PnPAzureADAppSitePermission and Set-PnPAzureADAppSitePermission
  5. Generated the access token on endpoint https://accounts.accesscontrol.windows.net/{tenantId}/tokens/OAuth/2
  6. Used the token to access the site's REST API (e.g. _api/web)

I get 403 Forbidden. The response header x-ms-diagnostics has the value 3002002; reason=App principal does not exist.

What's going on here? Is Sites.Selected really supported for the SharePoint REST API or am I missing something else?

Improve this question
4
  • As per the this blog, it should work for REST API as well. Check the video in above link if it helps! Commented Nov 14, 2022 at 10:31
  • @GaneshSanap, that was also my expectation. Unfortunately, it doesn't work (tested today). Commented Nov 14, 2022 at 11:01
  • 1
    experiencing same problem using SP rest api (for graph it works fine) Commented Feb 14, 2023 at 17:19
  • related stackoverflow.com/questions/74612484/… Commented Mar 2, 2023 at 15:06

3 Answers 3

Reset to default
1

Got the confirmation from Microsoft support:

Can I use other means besides certificates for realizing app-only access for my Azure AD app?

No, all other options are blocked by SharePoint Online and will result in an Access Denied message.

https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread#can-i-use-other-means-besides-certificates-for-realizing-app-only-access-for-my-azure-ad-app

Improve this answer
0

I think the previous answer may be wrong. In our experience it works like below (regarding token endpoints):

Used for Graph API:

https://login.microsoftonline.com/$YOURTenantName/oauth2/token

Used for SharePoint REST API v1:

https://accounts.accesscontrol.windows.net/{tenantId}/tokens/OAuth/2

for one site app we have x-ms-diagnostics with the value 3002002; reason=App principal does not exist.

Other sites and apps are working fine.

Improve this answer
-1

It works for sure. You should get the access token from the right end point. It should be https://login.microsoftonline.com/$YOURTenantName/oauth2/token. https://accounts.accesscontrol.windows.net/{tenantId}/tokens/OAuth/2 is the end point for getting the token from ACS which is valid only for those apps that have been registered via the appregnew page in the SharePoint site. Depending on the grant flow you will have to provide the right parameters (cliend id, secret or certificate credentials)

Improve this answer
1
  • Your method gives 401: {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."} Commented Feb 20, 2023 at 9:35

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.