Search code examples
azureazure-active-directorymicrosoft-graph-apiazure-ad-graph-apimicrosoft-graph-files

How can I get a token for Microsoft Graph to read an excel table?

What I need: I need to read an excel table from Microsoft Teams Channel with Microsoft Graph API.
That is possible with the following URI:

https://graph.microsoft.com/v1.0/drives/someId/items/someId/workbook/tables/tableName/rows

The problem is, that this endpoint needs a valid token.

There are 2 opportunities:

  1. Create Azure AD Application, that have access to the whole OneDrive.

  2. Create Azure AD Application to retrieve a token for a service user, that have access to needed files.

The problem of the first one is, that I don't want to give it access to the whole OneDrive. I want it to have an access just to one OneDrive folder. Maybe there is some possibility to limit the access just to one OneDrive folder?

I've tried the second alternative with com.microsoft.aad.msal4j library:

        String APP_ID = "20106bdc-eec0-493d-b32f-526583aa95a6";
        String AUTHORITY = "https://login.microsoftonline.com/112121a0-cc1f-12af-1213-faaa12ef1b11/v2.0";
        PublicClientApplication pca = PublicClientApplication.builder(
                APP_ID).
                authority(AUTHORITY).build();

        String scopes = "User.Read";
        UserNamePasswordParameters parameters = UserNamePasswordParameters.builder(
                Collections.singleton(scopes),
                userName,
                password.toCharArray()).build();

        IAuthenticationResult result = pca.acquireToken(parameters).get();

But this leads to the following exception:

com.microsoft.aad.msal4j.MsalServiceException: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

Any ideas? Thank you

Solution

  • For this issue, you need to learn about the difference between ConfidentialClientApplication and PublicClientApplication.

    Please see Public Client and Confidential Client applications.

    Public client applications are applications which run on devices (phones for instance) or desktop machines. They are not trusted to safely keep application secrets, and therefore access Web APIs in the name of the user only (they only support public client flows). Public clients are unable to hold configuration time secrets, and as a result have no client secret.

    So for PublicClientApplication, we don't need a client secret.

    What you need to do is (which you have found from this comment):

    In the Application menu blade, select Manifest, and in the manifest editor, set the allowPublicClient property to true.

    There is a completed sample with detailed steps here for your reference.

    Besides, since you are trying to read an excel table, user.read permission is not enough.

    Based on List rows Permissions, you need to add Files.ReadWrite delegated permission in the Azure AD app (app registration). And you should also specify it in your code.