0

What I need: I need to read an excel table from Microsoft Teams Channel with Microsoft Graph API.
That is possible with the following URI:

https://graph.microsoft.com/v1.0/drives/someId/items/someId/workbook/tables/tableName/rows

The problem is, that this endpoint needs a valid token.

There are 2 opportunities:

  1. Create Azure AD Application, that have access to the whole OneDrive.

  2. Create Azure AD Application to retrieve a token for a service user, that have access to needed files.

The problem of the first one is, that I don't want to give it access to the whole OneDrive. I want it to have an access just to one OneDrive folder. Maybe there is some possibility to limit the access just to one OneDrive folder?

I've tried the second alternative with com.microsoft.aad.msal4j library:

        String APP_ID = "20106bdc-eec0-493d-b32f-526583aa95a6";
        String AUTHORITY = "https://login.microsoftonline.com/112121a0-cc1f-12af-1213-faaa12ef1b11/v2.0";
        PublicClientApplication pca = PublicClientApplication.builder(
                APP_ID).
                authority(AUTHORITY).build();

        String scopes = "User.Read";
        UserNamePasswordParameters parameters = UserNamePasswordParameters.builder(
                Collections.singleton(scopes),
                userName,
                password.toCharArray()).build();

        IAuthenticationResult result = pca.acquireToken(parameters).get();

But this leads to the following exception:

com.microsoft.aad.msal4j.MsalServiceException: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

Any ideas? Thank you

JetBrains
  • 456
  • 2
  • 6
  • 18
  • May be [this](https://github.com/Azure-Samples/active-directory-dotnetcore-devicecodeflow-v2/issues/9) could help. – megabyte1024 Nov 03 '20 at 18:30
  • @megabyte1024 I use supported account types: My organization only. The app has a secret defined, but you can't use it with PublicClientApplication. For the ConfidentialClientApplication I don't see the possibility to "acquireToken" with username and password. – JetBrains Nov 03 '20 at 18:37
  • Sorry. I meant [this comment](https://github.com/Azure-Samples/active-directory-dotnetcore-devicecodeflow-v2/issues/9#issuecomment-480306483). Is the `allowPublicClients` true? – megabyte1024 Nov 03 '20 at 18:43
  • @megabyte1024 Nice, that works now. I can access the user files, but in my case I needed Files.ReadWrite.All, because I need to access the shared files. Moreover you need to go to Settings, then Required Permissions, Press the Grant Permissions button. Then it works. Thanks! – JetBrains Nov 04 '20 at 15:23

2 Answers2

2

For this issue, you need to learn about the difference between ConfidentialClientApplication and PublicClientApplication.

Please see Public Client and Confidential Client applications.

Public client applications are applications which run on devices (phones for instance) or desktop machines. They are not trusted to safely keep application secrets, and therefore access Web APIs in the name of the user only (they only support public client flows). Public clients are unable to hold configuration time secrets, and as a result have no client secret.

So for PublicClientApplication, we don't need a client secret.

What you need to do is (which you have found from this comment):

In the Application menu blade, select Manifest, and in the manifest editor, set the allowPublicClient property to true.

There is a completed sample with detailed steps here for your reference.

Besides, since you are trying to read an excel table, user.read permission is not enough.

Based on List rows Permissions, you need to add Files.ReadWrite delegated permission in the Azure AD app (app registration). And you should also specify it in your code.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • Nice, that works now. I can access the user files, but in my case I needed Files.ReadWrite.All, because I need to access the shared files. Moreover you need to go to Settings, then Required Permissions, Press the Grant Permissions button. Then it works. Thanks! – JetBrains Nov 04 '20 at 15:22
  • @JetBrains Glad to know this issue has been resolved. If my answer is helpful, you can mark it as accepted. Thank you. – Allen Wu Nov 05 '20 at 02:45
0

All steps that I've done, so that it works:

  1. I need to access a shared folder, so I needed to change the scope to "Files.ReadWrite.All" in my code.

  2. In the list of pages for the app, select API permissions, click the Add a permission button and then, ensure that the Microsoft APIs tab is selected. In the Commonly used Microsoft APIs section, click on Microsoft Graph. In the Delegated permissions section, ensure that the right permissions are checked: Files.ReadWrite.All. Use the search box if necessary. Select the Add permissions button.

  3. In the list of pages for the app, select Manifest, and in the manifest editor, set the allowPublicClient property to true, select Save in the bar above the manifest editor.

  4. Login as a tenant admin to https://portal.azure.com. Open the registration for your app. Go to Settings, then Required Permissions. Press the Grant Permissions button.

JetBrains
  • 456
  • 2
  • 6
  • 18