Call Graph API using the Azure Function managed identity is raising this error "Acces Denied"
We have an Azure Function on .NET 8.0. and we enabled the managed identity of the Azure Function. Then we run those commands as per this official MS link https://learn.microsoft.com/en-us/sharepoint/dev/apis/webhooks/sharepoint-webhooks-using-azd-template#grant-the-function-app-access-to-sharepoint-online:-
Power shell command:
# This script requires the modules Microsoft.Graph.Authentication, Microsoft.Graph.Applications, Microsoft.Graph.Identity.SignIns, which can be installed with the cmdlet Install-Module below:
# Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.Applications, Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Repository PSGallery -Force
Connect-MgGraph -Scope "Application.Read.All", "AppRoleAssignment.ReadWrite.All"
$managedIdentityObjectId = "d3e8dc41-94f2-4b0f-82ff-ed03c363f0f8" # 'Object (principal) ID' of the managed identity
$scopeName = "Sites.Selected"
$resourceAppPrincipalObj = Get-MgServicePrincipal -Filter "displayName eq 'Office 365 SharePoint Online'" # SPO
$targetAppPrincipalAppRole = $resourceAppPrincipalObj.AppRoles | ? Value -eq $scopeName
$appRoleAssignment = @{
"principalId" = $managedIdentityObjectId
"resourceId" = $resourceAppPrincipalObj.Id
"appRoleId" = $targetAppPrincipalAppRole.Id
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentityObjectId -BodyParameter $appRoleAssignment | Format-List
And this pnp command:
Connect-PnPOnline -Url "https://YOUR_SHAREPOINT_TENANT_PREFIX.sharepoint.com/sites/YOUR_SHAREPOINT_SITE_NAME" -Interactive -ClientId "YOUR_PNP_APP_CLIENT_ID"`
Grant-PnPAzureADAppSitePermission -AppId "3150363e-afbe-421f-9785-9d5404c5ae34" -DisplayName "YOUR_FUNC_APP_NAME" -Permissions Manage
Here is the code for the Azure Function, which uses the login user credential if I am inside development machine and uses the Azure Function managed identity on the hosted app:
if (Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT") == "Development")`
{
var credential = new InteractiveBrowserCredential(); // or AzureCliCredential
graphClient = new GraphServiceClient(credential);
}
else
{
var credential = new DefaultAzureCredential(); // Managed Identity
graphClient = new GraphServiceClient(credential);
var token = await new DefaultAzureCredential().GetTokenAsync(
new TokenRequestContext(new[] { "https://graph.microsoft.com/.default" })
);
_logger.LogInformation("Token acquired: " + token.Token.Substring(0, 20) + "...");
}
//Call to get the "Call Transfer Log Data" sharepoint list data`
try
{
var sitePath = "e**87";
var listId = "6*`*`*`*`";
var allItems = new List<ListItem>();
// Initial page request with Expand = fields
var page = await graphClient
.Sites[sitePath]
.Lists[listId]
.Items
.GetAsync(config =>
{
config.QueryParameters.Top = 100;
config.QueryParameters.Expand = new string[]{ "fields($select=*)" };
});
allItems.AddRange(page?.Value ?? []);
// code goes here...
}
Then I verified the setting, but running this command:
Get-PnPAzureADAppSitePermission -Site "<Site URL>"
I get this result:
Id : ***...-....
Roles : {Manage}
App : Microsoft.Azure.Functions – 3150363e-afbe-421f-9785-9d5404c5ae34
Also the :-
_logger.LogInformation("Token acquired: " + token.Token.Substring(0, 20) + "...");
will return a number, which means the token is been generated..
In the development environment, the code is working fine, while in the hosted Azure Function, the code raised an exception:
Access Denied
Any advice? It seems I use all the needed settings.
Thanks
Solution
Call Graph API using the Azure Function managed identity is raising this error "Acces Denied"
The error saying that you do not have full permissions to query the SharePoint list.
You have to also give below permission so that you can access the sharepoint list:
Sites.FullControl.All
- Deploying databricks with metastore / unity catalog in terraform
- ##[error]Error: Error: Failed to deploy web package to App Service. Conflict (CODE: 409)
- How can I know if the pipeline is using a Microsoft-hosted agent or self-hosted agent
- Azure SQL Sync between Subscriptions
- Why client ID and client secret are not injected into OAuth2ClientProperties?
- Azure Command-Line Interface (CLI) error running .NET 8 console app
- Spring Boot on Azure Service Fabric: Application Parameters not resolving in Environment Variables
- How to Minimize Egress Costs in Azure for Public Open Data Sharing
- is it possible to run KVM on Azure
- Can Azure pipelines cache public images?
- Resubmitting a message from dead letter queue - Azure Service Bus
- Why do I keep getting "401 unauthorized" response when sending mails through Graph API with delegated access?
- /azure-pipeline.yml (Line: 52, Col: 9): Unexpected value 'outputs' - Error in Azure build pipeline
- Using renovate with Azure Devops and Azure feed - authentication issue
- Azure won't show roleDefinition for directory roles
- How to Retrieve Amount of Storage Backed up (in GB) by Azure?
- Azure DevOps API Add public key
- Azure Cloud shell requires storage account
- Azure KQL Query render as chart, can't set y axis data or split to none
- Overriding default 5 min timeout for checkout repo step on Azure pipeline
- How to get list of Planner Tasks via Microsoft Graph similar to My Tasks web page?
- Azure auth for Outlook Graph API
- 'IAppBuilder' does not contain a definition for 'UseOpenIdConnectAuthentication'
- How to restrict Azure Entra group read permissions for a service principal to specific groups?
- Approving pipeline stage in Azure Devops via API
- Get info about approvals and checks for Azure DevOps environments
- ./<bundle_name> --environment <environment_name> not working on azure console
- (ContainerAppLabelsModeInvalidTraffic) In container apps labels revision mode a traffic weight and label must be provided for each active revision
- Azure function permision to truncate SQL table
- Azure ACS without the generated code and HttpHandlers?