How to use the Azure AD app access Sharepoint site cross tenant

Jie Yin 100 Reputation points
2024-03-28T10:18:43.2066667+00:00

I have want copy the SPO file to Azure storage in the another tenant using ADF(cross tenant), based on the docs: https://techcommunity.microsoft.com/t5/azure-data-factory-blog/sharepoint-online-multiple-files-folder-copy-with-http-connector/ba-p/2480426, but the error "token type is not allowed" happen when get the SPO file list in the step 2(step 1 token can get successfully), after researching I have find it (https://learn.microsoft.com/en-us/azure/data-factory/connector-troubleshoot-sharepoint-online-list#connection-failed-after-granting-permission-in-sharepoint-online-list) because the new SPO tennat cannot support the Sharepoint App-only https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs, instend of Azure AD App-only (https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread). How to do access the SPO file list using Azure AD app-only? This means how to get the access token with Azure AD app and how to access the SPO file list using this token?

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,428 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
9,548 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,630 questions
0 comments
Accepted answer
  1. Anand Prakash Yadav 5,765 Reputation points Microsoft Vendor
    2024-03-29T12:22:59.9466667+00:00

    Hi Jie Yin, I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept" the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

    Issue:
    The issue arises when attempting to access SharePoint Online (SPO) resources across tenants using Azure Data Factory (ADF) with an Azure AD app-only authentication method. The error "Token type is not allowed" occurs during the process, indicating a problem with authentication.

    Root Cause:

    · The SharePoint tenant has disabled custom app authentication, leading to the "Token type is not allowed" error when using the SharePoint API.

    · The retirement of SharePoint-only app access necessitates transitioning to Azure AD app-only access with Graph API permissions for accessing SharePoint resources.

    Solution:

    To resolve the issue, the following steps are taken:

    1. Temporary Resolution:

    · Enable custom app authentication with the SharePoint API using the Set-SPOTenant -DisableCustomAppAuthentication $false command. This temporarily resolves the "Token type is not allowed" error.

    2. Transition to Azure AD App-Only Access:

    · Register an Azure AD application in the SharePoint tenant.

    · Grant necessary permissions to the Azure AD application, preferably using Graph API permissions instead of SharePoint API permissions.

    · Obtain an access token from the Azure AD token endpoint using the client ID, client secret, and tenant ID of the Azure AD application.

    · Access SharePoint resources using the Graph API with the obtained access token.

    3. Grant App Permissions on SharePoint Sites:

    · If required, grant specific permissions to the Azure AD application for accessing individual SharePoint sites.

    · This can be done either through the SharePoint site appinv page or using the PnP PowerShell module.

    4. Implementation:

    · Utilize the registered Azure AD application and the Graph API to access SharePoint resources across tenants.

    · Ensure proper handling of permissions and token management to maintain secure access.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jie Yin 100 Reputation points
    2024-03-29T09:44:32.9+00:00

    This question have been resolved, the summary are:

    1.The "Token type is not allowed" error will be happened when you using the SharePoint API(https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service?tabs=csom) and SharePoint app-only to access SharePoint, Token endpoint is usually: https://accounts.accesscontrol.windows.net , and the SharePoint tenant is Disable ACS App access (Default settings for the tenant built after Nov. 2018).

    You can find the details from :https://learn.microsoft.com/en-us/fabric/data-factory/connector-troubleshoot-sharepoint-online-list#connection-failed-after-granting-permission-in-sharepoint-online-list. You can run the cmd as below to resolved temporarily, as this feature will be retired soon:

    Set-SPOTenant -DisableCustomAppAuthentication $false

    2.Since the SharePoint app-only access will be retired, so you should transition to the Azure AD App-only access and using the Graph API(https://learn.microsoft.com/en-us/sharepoint/dev/apis/sharepoint-rest-graph) to acccess SharePoint continue,The token endpoint should be as https://login.microsoftonline.com.In this mode, you must create the app in the Entra ID app register ,and grant the Graph API permissions, not SharePoint API permissions.2024-03-29_17-06-45

    3.If you want not the app have can access all SharePoint sites, you MUST be grant the app to Sites.Selected permissions, then use the following method to authorize a specific site,the details document is:https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins-modernize/understanding-rsc-for-msgraph-and-sharepoint-online

    3.1 Use the SharePoint site appinv as permissions XML (will also be retire on 2026/4/2)

    1)Access the Site page: https://[your_site_url]/_layouts/15/appinv.aspx

    2)Lookup the app ID (can be get in the Entra ID app register)

    3)Grant the app to access site with permissions as XML format(sample is Read permission).

    <AppPermissionRequests AllowAppOnlyPolicy="true">

    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>

    </AppPermissionRequests>

    4)Create and trust app.

    5)You can see the register app in the:https://[your_site_url]/_layouts/15/appprincipals.aspx,and you can click the X(before the app name) to remove app permissions.

    2024-03-29_17-43-18

    3.2 Use the PnP Powershell module(Recommendations)

    The PnP powershell module is open-source:https://pnp.github.io/powershell/articles/installation.html,it need the PowerShell 7.2 and later to running.

    1)Install the PowerShell 7.4(latest version current): 

    winget install --id Microsoft.Powershell --source winget

    2)Install PnP PowerShell module:

    Install-Module PnP.PowerShell -Scope CurrentUser

    3)Import module PnP Powershell

    Import-Module pnp.powershell

    4)Connect to SharePoint Site with interactive(if site admin user have MFA, must need interactive or Device login)

    connect-pnponline [your_site_url] -Interactive

    5)Grant the app ID to Read access to Site

    Grant-PnPAzureADAppSitePermission -AppId "[App ID]" -DisplayName "[App Displayname]" -Permissions Read -Site [your_site_url]

    6)Get the app ID permission in the site

    Get-PnPAzureADAppSitePermission -Site [your_site_url]

    7)Revoke the app ID permission in the site

    Revoke-PnPAzureADAppSitePermission -Site [your_site_url] -PermissionId "[Id can be find from get command or record in the grant command output]"

    4.After grant the app permission on the site, you can use it to access the SharePoint with Azure AD app-only using Graph API.

    2024-03-29_17-37-15

    Enjoy it. :)

    0 comments