Project Online Authenticate OData Feed using Azure AD and Postman
I have recently spent a substantial amount of time determining how to authenticate an OData feed from Project Online using Azure AD and Postman. There are many posts in different forums about this, but I wasn't able to find a single post that gave a complete working example. Following is the method that I have used.
ASSIGN PERMISSIONS IN PROJECT ONLINE
Open Server Settings / Manage Groups.
Choose the Group that you want to allow to access the OData Feed and Ensure it has the Access Project Server Reporting Service under General in Global Permissions ticked.
CONFIGURE AZURE AD
Register a new app in Azure.
Define the Redirect Uri. (For postman, use https://oauth.pstmn.io/v1/callback)
Define a client secret
CONFIGURE POSTMAN
Create a new Request and define a Get query along the lines of the following. https://[Your Domain].sharepoint.com/sites/pwa/_api/ProjectData/Projects
This requests a list of projects.
Under params, add a new key accept = application/json if you want Json output. default is XML
Under Authorization Tab, choose the following:
- Type = OAuth 2.0
- Access Token = Available Tokens
- Header Prefix = Bearer
- Token Name = [Any Name you want]
- Grant Type = Authorization
- Code Callback URL = [tick Authorize Using Browser. This will then default to https://oauth.pstmn.io/v1/callback]
- Auth URL = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
- Access Token URL = https://login.microsoftonline.com/common/oauth2/v2.0/token
- Client ID = [From Azure AD] Client Secret = [From Azure AD]
- Scope = https://[Your Tenant Name].sharepoint.com/ProjectWebAppReporting.Read
- State = [Anything you want]
- Client Authentication = Send client credentials in body.
If you enter all of this correctly and then press Get New Access Token, you should see a browser open, enter your credentials and then a token should return to Postman as shown in screenshots below. Press Use Token.
Note, if you are interested to see what the token contains, you can decode it at https://jwt.io/
At this point, press Send, run your query and confirm that the Body contains odata output.
EDIT NOTE:
I have made multiple adjustments to this answer as I identified and resolved multiple roadblocks that I encountered. It turned out to be quite simple in the end, but the key concept that was needed to get this right was that the Scope parameter needed to be targeted to the PWA site. ie. https://[your tenant name].sharepoint.com.au/user.read
- Access to fetch at https://accounts.google.com/o/oauth2/v2/auth has been blocked by CORS
- Role-based authentication not working with Keycloak and Java Spring
- What If Session Expires While User Is Still On The Website
- Remix run: Authentication succeeds on validation failures
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Using two or more SecurityFilterChains with Spring Security 6 does not work properly, only one chain is invoked
- What is the purpose of the 'state' parameter in OAuth authorization request
- OAuth 2.0 Single Client Configuration for Web and Mobile Applications
- OAuth 2 access_token vs OpenId Connect id_token
- Spring Security - Multiple OAuth2 Identity providers (github and google) work with only one Bean with @Prirmary?
- Error in oAuth2 Google APIs - invalid_request "You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy"
- MSAL Node service & The Partner Center API
- How to change the app name for Firebase authentication (what the user sees)
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Is it okay to encrypt a 3rd party access token and refresh token, in an encrypted JWT?
- Is a Client Secret Required for Google OAuth 2.0 using the PKCE Authorization Flow? Should I Expose the Client Secret Publicly?
- What is the purpose of a "Refresh Token"?
- Pagination with oauth azure data factory
- How to use supabase google auth provider in react naive expo app
- How to bypass keycloak login page and provide client suggested idp with spring security
- Issue with Discord OAuth2 redirect_uri component
- npm install error - invalid package.json
- Google Identity Platform: Using OAuth 2.0 in Powershell using Firebase Admin SDK private key
- Can I get the company name/logo with the LinkedIn API?
- PayPal REST API credentials of another business or party
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Problems logging into coinbase api with oauth2
- Azure authentification for multiple audience using WithExtraScopesToConsent and AcquireTokenSilent
- Microsoft OAuth authorization code flow CORS
- How to authorize a request to the FCM v1 API with an access token