Search code examples
azurekotlinmobileazure-ad-msal

Sharepoint api not exposed when using graphApi token MSAL

enter image description hereSo, I am trying to read data from SharePoint. Whenever I try to do this, I get the following error: AADSTS650053: The application 'Application' asked for scope 'AllSites.Read' that doesn't exist on the resource I receive same errors for write and read permissions. I have tried using the Graph API, but it did not work for my specific case.

This is the scope

        "User.Read",
        "Files.Read.All",
        "Files.Read",
        "Sites.Read.All", 
        "AllSites.Read",   
        "AllSites.Write",  
        "AllSites.Manage"  
    )

Sign in I would say this is pretty stardar way of doing so

 private fun signIn() {
        val parameters = SignInParameters.builder()
            .withScopes(scopes)
            .withCallback(object : AuthenticationCallback {
                override fun onSuccess(authenticationResult: IAuthenticationResult) {
                    mAccount = authenticationResult.account
                    Log.d("MainActivity", "Sign-in successful access token : ${authenticationResult.accessToken}")
                    Log.d("MainActivity", "Account: ${authenticationResult.account.username}")

                    // Fetch user data after successful sign-in

                }

                override fun onError(exception: MsalException) {
                    Log.e("MainActivity", "Sign-in failed: ${exception.message}")
                }

                override fun onCancel() {
                    Log.d("MainActivity", "Sign-in cancelled")
                }
            })
            .withActivity(this)
            .build()

        mSingleAccountApp?.signIn(parameters)
    }

Initilization

  PublicClientApplication.createSingleAccountPublicClientApplication(
            this.applicationContext,
            R.raw.auth_config,
            object : IPublicClientApplication.ISingleAccountApplicationCreatedListener {
                override fun onCreated(application: ISingleAccountPublicClientApplication) {
                    mSingleAccountApp = application
                    loadAccount()

                }

                override fun onError(exception: MsalException) {
                    Log.d("MainActivity", "MSAL initialization failed: ${exception.message}")
                }
            })
Solution

  • Note that, you cannot combine both Microsoft Graph API and SharePoint API permissions in scope parameter.

    Initially, I too got same error when I included SharePoint API permissions like AllSites.Read along with Microsoft Graph API permissions like User.Read in scope parameter while generating token:

    enter image description here

    To resolve the error, make sure to remove all SharePoint API permissions and add only Microsoft Graph related permissions as you are calling Microsoft Graph API to list items.

    In my case, I added only Sites.Read.All Microsoft Graph permission of Delegated type in my app registration:

    enter image description here

    I generated the token by passing only Sites.Read.All in scope parameter. You can decode the token by pasting it in jwt.ms and check scp claim:

    enter image description here

    When I used this token to call below Graph API call, I got the response successfully with items in SharePoint list:

    GET https://graph.microsoft.com/v1.0/sites/siteId/lists/listId/items

    Response:

    enter image description here

    In your case, remove all SharePoint API permissions from scope parameter and pass only Sites.Read.All Microsoft Graph API permission.