Using a managed service identity to call into SharePoint Online. Possible?
Hi All, I have been playing around with Managed Service Identity in Azure Logic Apps and Azure Function Apps. I think it is the best thing since sliced bread and am trying to enable various scenarios, one of which is using the MSI to get an app-only token and call into SharePoint Online. Using Logic Apps, I generated a managed service identity for my app, and granted it Sites.readwrite.All on the SharePoint application. When then using the HTTP action I was able to call REST endpoints while using Managed Service Identity as Authentication and using https://<tenant>.sharepoint.com as the audience. I then though I'd take it a step further and create a function app and follow the same pattern. I created the app, generated the MSI, added it the Sites.readwrite.All role same way I did with the Logic App. I then used the code below to retrieve an access token and try and generate a clientcontext: #r "Newtonsoft.Json" using Newtonsoft.Json; using System; using System.Net; using System.Net.Http; using System.Net.Http.Headers; using Microsoft.SharePoint.Client; public static void Run(string input, TraceWriter log) { string resource = "https://<tenant>.sharepoint.com"; string apiversion = "2017-09-01"; using (var client = new HttpClient()) { client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET")); var response = client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion)).Result; var responseContent = response.Content; string responseString = responseContent.ReadAsStringAsync().Result.ToString(); var json = JsonConvert.DeserializeObject<dynamic>(responseString); string accesstoken = json.access_token.ToString() ClientContext ctx = new ClientContext("<siteurl>"); ctx.AuthenticationMode = ClientAuthenticationMode.Anonymous; ctx.FormDigestHandlingEnabled = false; ctx.ExecutingWebRequest += delegate (object sender, WebRequestEventArgs e){ e.WebRequestExecutor.RequestHeaders["Authorization"] = "Bearer " + accesstoken; }; Web web = ctx.Web; ctx.Load(web); ctx.ExecuteQuery(); log.Info(web.Id.ToString()); } } The bearer token is generated, but requests fail with a 401 access denied (reason="There has been an error authenticating the request.";category="invalid_client") I have tried to change the audience to 00000003-0000-0ff1-ce00-000000000000/<tenant>.sharepoint.com@<tenantid>" but that gives a different 401 error, basically stating it cannot validate the audience uri. ("error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown.). I have also replace the CSOM call with a REST call mimicking the same call I did using the Logic App. My understanding of oauth 2 is not good enough to understand why I'm running into an issue and where to look next. Why is the Logic App call using the HTTP action working, and why is the Function App not working?? Anyone?Azure Automation Runbooks using Powershell: Push notifications error?
I'm trying to run some PnP PowerShell commands in an Azure Runbook (e.g. Get-PnPContentType, Apply-PnPProvisioningTemplate, etc. ) over a SharePoint site, but it keeps returning the error below: The Push Notifications feature is not activated on the site The correct modules have been imported and it only errors on some commands. Running the commands in a PowerShell window with the same credentials doesn't produce any errors, and activating the 'Push Notifications' feature manually and retriggering the Runbook won't produce any error output, but will say that the Runbook failed to run 3 times.How to prevent a group of users downloading SharePoint and MS Teams documents
Hi All, We need to prevent a group of users downloading files from SharePoint, and MS Teams. We want them to be able to access and edit the files using office online, but not download and edit them locally. We have been able to do this for Outlook using these instructions https://www.b-fortyone.com/single-post/2016/06/07/Office-365-Prevent-downloading-attachments-via-Outlook-Web-App but we cannot do it for the SharePoint and MS Teams. I hope you can help Colin
SharePoint Online & OneDrive for Business - Azure AD Conditional Access Policy!
Hello Everyone We would like enable the Azure AD conditional policy for OneDrive for Business particularly on granting "Required Approved Client Applications". We did the configuration as per the attached document and when we tried to access the OneDrive for Business web app, it is not allowing us to open instead it is stating that you should open the application from approved client applications. When we looked the approved client applications, there is no browser included in the list. Can anybody help regarding this. Thanks Chandrasekaran C N