sharepointmicrosoft-graph-apisharepoint-api

Obtain SharePoint specific access token for a non-user application


I am working on a PHP web app that needs to make HTTP requests to the Sharepoint API with Sites.Selected permission to a specific SharePoint site. It is NOT viable for me to provide a user sign-in experience so I need to treat it as a non-user/daemon application.

I've read the docs and looked at many different forums for the solution but as of yet I've been unsuccessfull in obtaining a SPO specific access token, although I think I'm close.

I am using this StackOverflow answer as a guide: https://stackoverflow.com/a/63386756/19038862

This is what I've done:

  1. Registered an Azure App: (Image of my Azure App Overview)
  2. Created a client secret in the App dashboard: (Image of the client secret page)
  3. Successfully sent a request to https://login.microsoftonline.com/{{app_tenant_id}}/oauth2/v2.0/token using the client secret in Postman: (Image of Postman request)

The request made in step 3 returns an access token (I assume a MS Graph access token?), but it DOES NOT return a refresh token, which is what the afforementioned StackOverflow answer suggests you need to "swap" for an SPO specific access token.

How do I obtain this refresh token so that I can swap it for a SPO access token? Or what better way is there to get my hands on a SPO specific access token from a non-user app?


Solution

  • I wrote this gist to guide you into getting Sites.Selected access to the desired site: https://gist.github.com/ruanswanepoel/14fd1c97972cabf9ca3d6c0d9c5fc542

    This guide shows you how to configure this as Application permissions, and via the Graph API.

    I've found going through the Graph API is the best way to go.

    Also strangely it's not possible to get delegated Sites.Selected permissions. You must set it up as an Application permission.