I'm trying to set up programmatic access to a corporate Sharepoint Online site from a desktop app. My org has an Office 365 subscription.
I've set up a registered app in the Azure portal, granted the AllSites.Write permission:
Now, I'm trying to navigate to the following URL in a browser control:
URL = "https://login.microsoftonline.com/" + Tenant + "/oauth2/v2.0/authorize?" +
"client_id=" & ClientID +
"&response_type=code" +
"&redirect_uri=foo%3A%2F%2Fback" +
"&response_mode=query" +
"&scope=user.read%20allsites.write"
As soon as I do that, there's no UI, I immediately get a callback with the following error message:
AADSTS650053: The application 'MyApp' asked for scope 'allsites.write' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
The scope is right there. What am I missing?
The same logon flow worked with a slightly different scope (Sites.ReadWrite.All), but then I found out that the Graph API didn't expose SharePoint list item attachments and decided to fall back to the legacy SharePoint REST API. Changed the scopes on the portal, changed the scopes in the logon URL, got the error.
The stale logon session couldn't get in the way, could it? Normally, when scopes change, the OAuth UI pops the permissions window, doesn't it?
