3

I've have an App that would like to access SharePoint API. I've registered it in AD, and gave it the following permissions:

enter image description here

But when I ask it to be authenticated with the following scopes

    - https://graph.microsoft.com/User.Read.All
    - https://graph.microsoft.com/Group.Read.All
    - https://graph.microsoft.com/Sites.Read.All
    - https://graph.microsoft.com/Calendars.Read.Shared
    - https://graph.microsoft.com/MailboxSettings.Read
    - https://graph.microsoft.com/Files.Read.All
    - https://graph.microsoft.com/Directory.Read.All
    - https://graph.microsoft.com/AuditLog.Read.All
    - https://graph.microsoft.com/AuditLog.Read.All
    - offline_access
    - https://manage.office.com/ActivityFeed.Read
    - https://microsoft.sharepoint-df.com/Sites.FullControl.All
    - https://microsoft.sharepoint-df.com/Sites.Read.All
    - https://microsoft.sharepoint-df.com/User.Read.All

I get this error:

invalid_client&error_description=AADSTS650053: 
enter code here`The application 'XXX' asked for scope
'Sites.FullControl.All' that doesn't exist on the resource
'00000003-0000-0ff1-ce00-000000000000'. 
Contact the app vendor.

What does this mean that it that doesn't exist on the resource? With all the other scopes (except SharePoint's) it all works fine

Alex L
  • 1,069
  • 2
  • 18
  • 33
  • Are the scopes listed above the ones you are passing in when requesting your access token from Azure AD? If so typically the resource URL for SharePoint uses the following syntax: "https://[tenantName].sharepoint.com" - SharePoint Online site, "https://[tenantName]-admin.sharepoint.com" - SharePoint Online Admin Center, "https://[tenantName]-my.sharepoint.com" - OneDrive for Business site – Brian T. Jackett MSFT May 13 '20 at 18:20
  • @BrianT.JackettMSFT when i use "https://[tenantName]-admin.sharepoint.com", it results in an exception - scope is not valid? Does Sites.FullControl.All normally mean the aad app should have access to the admin site? – Shane Mar 25 '21 at 01:36
  • @Alex L was this ever resolved? I'm facing the same issue at the moment. – rvwsd Dec 15 '21 at 11:33

2 Answers2

0

Looks like the Sites.FullControl.All has moved to the Graph API section but trying to add it in the Azure portal results in a different error saying that permission is not currently supported (see on screenshot below).

In my test application, I succeeded using AllSites.FullControl (AllSites as a single word, no periods) and then listing all sites on SharePoint Online tenant with MSAL for .NET.

var app = PublicClientApplicationBuilder.Create(MyAppId)
    .WithAuthority("https://login.microsoftonline.com/common", false)
    .WithDefaultRedirectUri()
    .Build();

return await app
    .AcquireTokenInteractive(new string[] { "https://tenantxx.sharepoint.com/.default" })
    .WithParentActivityOrWindow(parentWindow) // optional, used to center the browser on the window
    .WithPrompt(Prompt.SelectAccount)
    .ExecuteAsync();

API Permissions in the Azure portal: API Permissions in the portal

Philip Patrick
  • 311
  • 4
  • 6
  • 1
    Those are two different permissions. The AllSites.FullControl is delegated, running under the user context. The Sites.FullControl.All was an application type (app only) permission, that allows the app to access the resource without a user. – Shai Petel Feb 09 '21 at 19:02
0

I ran into this same thing. It took a while but this was my clue: How to Access Sharepoint Online API with v1 Azure AD Application and Client Credentials

Using client secret, I could get a token but it would fail. Using a certificate, I was able to successfully authenticate.

Brett
  • 484
  • 6
  • 16