0

I have created an Azure App registration, and granted it permissions to manage SharePoint sites. then i want to query the SharePoint sites' users, using SharePoint API, here the first request to get the access_token

enter image description here

then i get the access token and pass it inside the Authorization header, as follow:-

enter image description here

but the second action return Unauthorized:-

{
    "statusCode": 401,
    "headers": {
        "Cache-Control": "private",
        "Server": "Microsoft-IIS/10.0",
        "X-NetworkStatistics": "0,4194720,0,0,39,24479,24479,15301",
        "IsOCDI": "0",
        "X-DataBoundary": "EU",
        "X-1DSCollectorUrl": "https://eu-mobile.events.data.microsoft.com/OneCollector/1.0/",
        "X-AriaCollectorURL": "https://eu-mobile.events.data.microsoft.com/Collector/3.0/",
        "SPRequestGuid": "c20dd9a1-7025-e000-6f5b-0d2e1e2d49d1",
        "request-id": "c20dd9a1-7025-e000-6f5b-0d2e1e2d49d1",
        "MS-CV": "odkNwiVwAOBvWw0uHi1J0Q.0",
        "SPLogId": "c20dd9a1-7025-e000-6f5b-0d2e1e2d49d1",
        "Alt-Svc": "h3=\":443\"",
        "Strict-Transport-Security": "max-age=31536000",
        "X-Frame-Options": "SAMEORIGIN",
        "Content-Security-Policy": "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.cloud.microsoft *.office365.com goals.cloud.microsoft *.powerapps.com *.powerbi.com *.yammer.com engage.cloud.microsoft word.cloud.microsoft excel.cloud.microsoft powerpoint.cloud.microsoft *.officeapps.live.com *.office.com *.microsoft365.com m365.cloud.microsoft *.cloud.microsoft *.stream.azure-test.net *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;",
        "SPRequestDuration": "23",
        "SPIisLatency": "1",
        "x-ms-suspended-features": "features=\"\"",
        "X-Powered-By": "ASP.NET",
        "MicrosoftSharePointTeamServices": "16.0.0.26629",
        "X-Content-Type-Options": "nosniff",
        "X-MS-InvokeApp": "1; RequireReadOnly",
        "P3P": "CP=\"ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI\"",
        "WWW-Authenticate": "Bearer realm=\"0bcccd25-af10-4583-95d7-53f14b7a506e\",client_id=\"00000003-0000-0ff1-ce00-000000000000\",trusted_issuers=\"00000001-0000-0000-c000-000000000000@*,D3776938-3DBA-481F-A652-4BEDFCAB7CD8@*,https://sts.windows.net/*/,https://login.microsoftonline.com/*/v2.0,00000003-0000-0ff1-ce00-000000000000@90140122-8516-11e1-8eff-49304924019b\",authorization_uri=\"https://login.microsoftonline.com/common/oauth2/authorize\"",
        "Date": "Thu, 13 Nov 2025 19:26:48 GMT",
        "Content-Length": "27"
    },
    "body": {
        "$content-type": "application/octet-stream",
        "$content": "VW5zdXBwb3J0ZWQgYXBwIG9ubHkgdG9rZW4u"
    }
}

any advice?

Improve this question
6
  • 1
    You might be mixing the permissions. If you’re using classic API’s then you need a cert when authenticating. If you’re using graph then you can use the supplied token as is. Looking at your screenshots, you’re mixing the two. My tip, use a service user and then use the standard SharePoint connector with HTTP operation. Further to that, what permissions have you supplied the app reg? There are SharePoint and Graph permissions, that also dictates the outcome. Again, don’t mix the two when it comes to the auth approach. Commented Nov 13 at 20:10
  • 1
    This might help a little bit … learn.microsoft.com/en-au/answers/questions/2120929/… Commented Nov 13 at 20:13
  • @Skin I want to remove a user from all the sites, now if i use a service account which is SharePoint global admin or even office 365 admin, i will still get access denied , unless i explicitly assign the service account to all sites.. so i want to remove the user using the app registration identity which have full control of the site.. now i am not mixing , am i using SharePoint to get the token and i am passing it to SharePoint rest API Commented Nov 13 at 20:13
  • Trust me, you’re mixing the auth methods. I’ve been doing this for years. You need to use a cert for classic REST. Also, what permissions have you applied to the app reg, there are the two types, Graph and SharePoint. Also, with the HTTP connector, you don’t need to get a token in a separate call, you can do it directly via the auth properties in the connector when making the call. Commented Nov 13 at 21:19
  • @Skin i granted the app registration full control for all the sites for both SharePoint and graph Commented Nov 13 at 22:00

1 Answer 1

Reset to default
1

This is from LogicApps but is exactly the same concept as PowerAutomate and this works ...

enter image description here

This is the URL specified in the variable which, as you can see, is calling a classic SP REST API ...

enter image description here

A certificate is required and that certificate needs to be loaded against the app registration, like shown below ...

enter image description here

The cert in my case is loaded into a KeyVault and referenced in the LogicApp from there. The same approach can be taken in PowerAutomate.

I haven't fully validated the contents in this link but it describes the process ... https://blog.admindroid.com/connect-to-sharepoint-online-with-certificate/

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

this to call SharePoint api or graph api?
The dead giveaway is the second screenshot and the stubs on the URL, anything /web/lists/getbytitle('') in that sort of structure is the classic REST API's, not Graph. Prefixing /web is actually the site URL with /_api which is classic REST.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.