Access SharePoint content using Microsoft Graph API
Context
Now Microsoft Graph API has more granular level permission to access SharePoint Online (SPO) site. The tenant-level permissions are not required anymore. An application can access SPO content with site-level permissions. The new granular level permissions reduce security risk on SharePoint tenant by limiting access permission to the site collection. Developers can build innovative solutions leveraging new granular level permissions for integrating collaboration tools with other enterprise applications.
Recently, I worked on a scenario where we need to display announcements and help pages in our web application. Announcement and help content writers use Microsoft Teams, SharePoint for collaborating and authoring content. Also, the content writers automated workflows, language translation, approvals, tasks, etc., using Power Automation. I have implemented an integration to access announcements and help content from the SPO site to display in a web application.
This article will explain steps to access SharePoint site list using Microsoft Graph API with site-level permissions. I have provided links in the end for other details like workflow automation using power automation.
Implementation details
You need an Azure Active Directory (AAD) application with permissions to access Microsoft Graph API and SPO site. Then you can call Microsoft Graph API to access the site list using an app token.
App creation and granting permissions.
- Register AAD app from Azure portal and copy client id, app name, secret, tenant id to use in later steps. Refer Register your app with the Azure AD v2.0 endpoint — Microsoft Graph | Microsoft Docs article if you are new to creating an AAD app.
- Grant permission to AAD app for accessing Microsoft Graph API. If users have access to the content, then you can use delegate permissions. Otherwise, use app permissions based on your scenario. Select “Site.Selected” permission to restrict access only to the site.
3. SharePoint tenant admin must provide access to AAD app on the selected site. SPO tenant Admin can use graph explorer to grant these permissions on the site.
Open Graph explore tool https://developer.microsoft.com/en-us/graph/graph-explorer with SPO tenant admin credentials.
Get site id by accessing https://<tenant>.sharepoint.com/sites/<site-url>/_api/site/id. The call returns below response. Save site id to use in later steps.
{“@odata.context”:“https://graph.microsoft.com/v1.0/$metadata#sites(id)/$entity", “id”: “{hostname}.sharepoint.com,{siteid},{spweb.id}”}
4. Make a post request to https://graph.microsoft.com/v1.0/sites/<<siteId>>/permissions for granting permissions to AAD app on the SPO site.
- Headers: Content-Type: application/json
- Body
{
“roles”: [“read”],
“grantedToIdentities”: [{
“application”: {
“id”: “<<client id from step 1>>”,
“displayName”: “<<name of aad app created in step 1>>”
}
}]
}
Accessing SharePoint Site content using Graph API
You can call Graph API from any Web API, Service, or using Graph SDK. You can use client SDKs if users have permissions on the SharePoint content.
In our scenario, We can’t provide access to users directly on the SharePoint list as users are external and content is not user specific. So, I have used application-level permissions and authorizing users in azure functions before accessing the SharePoint site.
The steps are primarily same to access Graph API for both application or delegate permissions. You must use a user context token instead of client credentials to call Graph API for delegated permissions.
Create an azure function and implement logic to authenticate and authorize the user. Once user is authorized, then you can access site content.
1. Get access token using client credentials following below steps.
string authority = “https://login.microsoftonline.com/<<your AAD tenant id>>”;
string ClientID = “<<clientid created in step 1>>”;
string appkey = “<<secret generated in step 1>>”;
string resource = “<<you can find resource id in app manifest file created in step1>>”;
var clientCredentials = new ClientCredential(clientID, appkey);
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var result = await context.AcquireTokenAsync(resource, clientCredentials);
var accessToken = result.AccessToken;
2. You can make a call to Graph API using a bearer token acquired in above step. below is the sample code for making API call.
HttpClient httpClient;
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, endpoint);
request.Headers.Add(“Authorization”, $“Bearer {accessToken}”);
request.Headers.Add(“Accept”, “application/json”);
request.Headers.Add(“Prefer”, “HonorNonIndexedQueriesWarningMayFailRandomly”);
HttpResponseMessage response = httpClient.SendAsync(request).Result;
You can select fields, filter, and order data. The filter works only on indexed columns. If you want a filter for non-indexed columns, then pass prefer header as shown in the above code snippet. This call will return SPO site list items in JSON format.
I hope you find this article helpful. Below I have additional resources for your quick reference. Please leave a comment if you have any further questions.
Reference Resources:
1. Microsoft Graph SDKs overview — Microsoft Graph | Microsoft Docs
2. Use SharePoint and Power Automate to build workflows — Power Automate | Microsoft Docs
3. Create permission — Microsoft Graph v1.0 | Microsoft Docs
5. Microsoft Graph permissions reference — Microsoft Graph | Microsoft Docs
