Rakesh Patel: Access Token for SharePoint Online

Friday, April 15, 2022

Getting an Access Token for SharePoint Online

Prior to SharePoint 2019, SharePoint Administrators, SharePoint Developers, and Power Users could use SharePoint Designer for no-code workflow development. With the release of SharePoint 2019 and SharePoint Online, modern process automation is developed through Microsoft Flow. SharePoint Online leverages modern tools, like PowerApps and Flow for forms and workflow deployment.

As with the SharePoint 2013 workflow, developers can execute REST calls to accomplish workflow actions. To test REST calls that will be executed in a Flow, a tool like Postman can be leveraged. To successfully send REST calls, an access token will need to be obtained from Microsoft Azure Access Services. The below steps detail the process of obtaining an access token.

To begin, copy the text in the below box into a notepad. This text is generalized headers for the body of the HTTP Post request to retrieve the token. The text in bold will be replaced as the steps to obtain the token are followed.

grant_type=client_credentials
&resource=00000003-0000-0ff1-ce00-000000000000/TENANT-NAME.sharepoint.com@TENANT-ID
&client_id= GENERATED CLIENT-ID@TENANT-ID
&client_secret= GENERATED CLIENT-SECRET

Step 1 Register an App

Navigate to https://[TENANT -NAME].sharepoint.com/_layouts/15/appregnew.aspx

Open notepad
Click Generate next to Client ID
Copy the generated Client ID
In notepad, replace the bold GENERATED CLIENT ID text with the copied generated client id
Click Generate next to Client Secret
Copy the generated Client Secret
In notepad, replace the bold GENERATED CLIENT SECRET text with the copied generated client secret
Update App Domain with google.com
Update Redirect URL with https://localhost/
Click Create

Step 2 Grant APP-Only permission to the APP

Navigate to https://[TENANT-NAME].sharepoint.com/_layouts/15/appinv.aspx

Note: Client Id generated during APP registration appended with an @, followed by the Tenant ID

Paste the value of “Client Id:” from the notepad in the App Id field
Click Lookup
Update the Permission Request XML: field the below values:

<AppPermissionRequests AllowAppOnlyPolicy="true"><AppPermissionRequest
Scope="http://sharepoint/content/sitecollection/web"
Right="Read"/></AppPermissionRequests>

5. Click Create

Step 3 Get access token

Navigate to Site Setting > App Permissions
1. Locate the APP identifier that contains the Client Id generated during APP registration. The GUID on the right side of the @ is the Tenant ID. (You will need the Tenant ID in 3 places during the request build process)
  1. https://accounts.accesscontrol.windows.net/[Tenant ID]/OAuth/2
  2. Resource Header
  3. client_id Header

Update the Post Request Body in Notepad

In notepad, update the text as detailed below:

Key	Value	Notes
grant_type	client_credentials
resource	[SharePoint Online application principal ID]/[Tenant-Name].sharepoint.com@[Tenant-ID]	[SharePoint Online application principal ID] is always 00000003-0000-0ff1-ce00-000000000000 [Tenant-Name] with the tenant value as it appears in the sharepoint.com URL for the tenant [Tenant-ID] was obtained on Site Setting > App Permissions The GUID on the right side of the @ is the Tenant ID The / and @ are literal values. Use them where specified
client_id	[Client-ID]@[Tenant-ID]	Obtain this value by doing the following Site Setting > App Permissions Locate the APP identifier that contains the Client Id generated during APP registration. Copy everything to the right of \| (pipe) character.
client_secret	The client secret that was generated during APP registration

Build the Post Request URL

To obtain the access token, send a POST request to Microsoft Azure Access Control Service (ACS) account associated with Tenant. The URL is in the following format:

https://accounts.accesscontrol.windows.net/[Tenant-ID]/tokens/OAuth/2

[Tenant-ID] was obtained on Site Setting > App Permissions

The GUID on the right side of the @ is the Tenant ID