3

When trying to make a folder in SharePoint site I get the following error:

{
  "error": {
    "code": "accessDenied",
    "message": "Access denied",
    "innerError": {
      "request-id": "61d3b5aa-857e-4ee2-9d0d-51d235ca7c5f",
      "date": "2020-05-18T06:31:54"
    }
  }
}

Notes:

  1. When using the Microsoft Graph Explorer, the request works.
  2. Other requests to Graph endpoints work.
  3. I used msgraph-sdk-php to make requests.

  4. This usually has to do with permissions, but my user has the following permissions set in azure: 

    Sites.Manage.All    Delegated.
Sites.Read.All      Delegated.
Sites.ReadWrite.All Delegated.

  5. inside my.env I have the following permissions:

    OAUTH_SCOPES='openid profile offline_access user.read calendars.readwrite mail.readwrite mail.send'

  6. Url:

     https://login.microsoftonline.com/common/oauth2/v2.0/authorize?%20state={someState}%20&scope=openid%20profile%20offline_access%20user.read%20calendars.readwrite%20mail.readwrite%20mail.send%20&response_type=code&approval_prompt=auto&redirect_uri=http://localhost:8080/office365/token/store%20&client_id={myclientId}

What causes an error here?

Mister Verleg
  • 4,053
  • 5
  • 43
  • 68
  • @kerbholz Thank you, I use msgraph-sdk-php to send the requests. Maybe this is relevant. – Mister Verleg May 18 '20 at 06:56
  • 1
    Can you take a look at what actually gets sent down the wire ? Have a look at this: https://mihai-albert.com/2020/05/13/using-microsoft-graph-to-modify-excel-files-stored-in-sharepoint-online-with-c/#fiddler-for-access-denied – Mihai Albert May 18 '20 at 13:51

3 Answers3

2

You need to add one or more of the required scopes (Sites.Read.All, Sites.ReadWrite.All, Sites.Manage.All) in your OAUTH_SCOPES variable:

OAUTH_SCOPES='Sites.Manage.All ...'

So that your authorization URL is built like this:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?scope=Sites.Manage.All ...&client_id=...

PS: None of the aformentioned scopes require admin consent.

AlfredoRevilla-MSFT
  • 3,171
  • 1
  • 12
  • 18
1

You may have requested those permissions, but until you receive "consent" from an Administrator they will not be activated.

AAD has two forms of "consent": Admin and User. If a scope requires Admin Consent, then you need to obtain that consent before you can obtain User consent. All of the Sites.*.All scopes you've listed require Admin Consent.

You can find more details about consent (and how to obtain it) from Understanding Azure AD application consent experiences

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
  • From what i understand i must make a get request and ask for additional privileges? Is there a way to just allow an admin user all privileges? – Mister Verleg May 19 '20 at 07:48
  • 1
    You must request all the scopes you need as part of the authentication flow. If the user authenticating is a Global Admin, they can consent to any scope (i.e. Admin's don't require Admin Consent). – Marc LaFleur May 21 '20 at 21:15
1

You need to build special url and give it to global admin to consent. Here is example: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-admin-consent

After consent is done, it may take up to 24 hours until you get your permissions. Also, you can check oauth token here: https://jwt.io/

Sergiy Kostenko
  • 273
  • 1
  • 2
  • 11