Consume SPO REST API in PowerShell with ACS App Only Credentials

Article
06/21/2018

I was working with customer who wanted to quickly test his App permissions. He first created the App Credentials (Client ID & Client Secret) via https://tenant.sharepoint.com/sites/yoursite/\_layouts/15/appregnew.aspx page.

Then it gave it some permissions via the https://tenant.sharepoint.com/sites/yoursite/_layouts/15/appinv.aspx page.

After having created his App, my customer did save its client ID and client secret but didn't save its permissions . He wanted a simple way to check the App permissions and scope : "Scope="https://sharepoint/content/sitecollection" Right="Read".

I proposed him to use the following PowerShell script, which consume SPO REST API via the App credentials :


	####################################################################################
	#This script is provided as an example. It must not be used in Production environment.
	#It shows how to obtain a Token to log into the Graph API. The token must be acquired once
	#and then stored on the server. Everytime the Graph API is used, it is refreshed before
	#being used.
	####################################################################################

	Import-Module SharePointPnPPowerShellOnline

	Connect-PnPOnline https://<your-tenant>.sharepoint.com/sites/<your-site> -AppId <your_client_id> -AppSecret <your_client_secret>
	$PnPAccessToken = Get-PnPAppAuthAccessToken \| Clip

	$uri = "https://<your-tenant>.sharepoint.com/sites/<your-site>/_api/web/lists/getbytitle('Documents')"

	$contentType = 'application/json;odata=verbose'
	$Headers = @{}
	[Microsoft.PowerShell.Commands.WebRequestMethod]$Method = [Microsoft.PowerShell.Commands.WebRequestMethod]::Get
	$Headers["Accept"] = "application/json;odata=verbose"
	$Headers.Add('Authorization','Bearer ' + $PnPAccessToken)
	$Body = $null


	Invoke-RestMethod -Method $Method -Uri $Uri -ContentType $contentType -Headers $Headers -Body $Body

Indeed, you can modify the REST API : ex: "_api/web/title" to get the title of the spweb and only check the permissions at the Web level.

As you can see this script rely on PnP PowerShell module.

install it directly in PowerShell :

Install-Module SharePointPnPPowerShellOnline -SkipPublisherCheck -AllowClobber

install it via an executable file :

https://github.com/SharePoint/PnP-PowerShell/releases

Note: The above script won't work with AAD App Only credentials. You may use the following script for App declared in AAD (and not in ACS).

#####################################################################################This script is provided as an example. It must not be used in Production environment.#It shows how to obtain a Token to log into the Graph API. The token must be acquired once#and then stored on the server. Everytime the Graph API is used, it is refreshed before#being used.####################################################################################

Import-Module SharePointPnPPowerShellOnline

#Connect-PnPOnline

$arrayOfScopes = @("Reports.Read.All")

$ConnectPnPGraph = Connect-PnPMicrosoftGraph -Scopes $arrayOfScopes

$PnPAccessToken = Get-PnPAccessToken

$uri = "https://graph.microsoft.com/beta/" + "/reports/SharePointActivity(view='Detail',period='D7')/content"

# $authHeader = @{

# 'Content-Type'='application\json'

# 'Authorization'= $PnPAccessToken

# }

Invoke-RestMethod -Uri $uri -Headers @{Authorization = "Bearer $PnPAccessToken"}

Comments

Anonymous
June 22, 2018
thanks for this article. I am going to consume SPO Api in my next project

Share via

Consume SPO REST API in PowerShell with ACS App Only Credentials

Comments

Additional resources