Office 365 SharePoint API with App Only token returns 401

Question

I'm trying to call the Office 365 SharePoint API at tenant.sharepoint.com with an App Only token, but am getting a 401 response with the message:

The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.

As this is in Office 365, I don't have access to the server to configure it and turn on error messages as suggested in the error message.

I have set up my Azure AD App Registration for app-only access, as described here, including the read and write managed metadata and manage all site collections application permissions.

I request the app-only token like so:

POST https://login.microsoftonline.com/f48cf683-1ba8-469a-82b5-930241ed093d/oauth2/token HTTP/1.1
host: login.microsoftonline.com
content-type: application/x-www-form-urlencoded
content-length: 1071
Request-Context: appId=cid-v1:a8ad1180-5e49-43f7-99e1-3d07c1ffa794
Connection: close

grant_type=client_credentials&client_id=a0e75d70-178a-48c3-94a9-4be5d97ea0c5&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
client_assertion=*xxx*&resource=https%3A%2F%2Fpeterreayqa.sharepoint.com

(Assertion *xxx* omitted)

I get the response back:

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: 03fa7b0e-d725-4730-b20c-26ff0e6e4200
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: fpc=AfblxFAuBLNAo-WGH3FHRtau4ePVAQAzNMUKpE_WCA; expires=Fri, 21-Dec-2018 11:25:29 GMT; path=/; secure; HttpOnly
Set-Cookie: x-ms-gateway-slice=003; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
Date: Wed, 21 Nov 2018 11:25:29 GMT
Connection: close
Content-Length: 1420

{"token_type":"Bearer","expires_in":"3599","ext_expires_in":"3599","expires_on":"1542803129","not_before":"1542799229","resource":"https://peterreayqa.sharepoint.com","access_token":"*xxx*"}

(Token *xxx* omitted)

Then when I try to call the SharePoint API:

POST https://peterreayqa.sharepoint.com/sites/Sage-NewSharePointTest/sageData/_vti_bin/sites.asmx HTTP/1.1
Authorization: Bearer *xxx*
User-Agent: ISV|Sage|OverDriveUserManagement/1.2
Content-Type: text/xml
SOAPAction: http://schemas.microsoft.com/sharepoint/soap/GetUpdatedFormDigestInformation
X-RequestForceAuthentication: true
Host: peterreayqa.sharepoint.com
Content-Length: 356
Expect: 100-continue
Accept-Encoding: gzip, deflate

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetUpdatedFormDigestInformation xmlns="http://schemas.microsoft.com/sharepoint/soap/" />
</soap:Body>
</soap:Envelope>

(Token *xxx* from previous response is omitted)

I get the following response:

HTTP/1.1 401 Unauthorized
Content-Length: 453
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
WWW-Authenticate: Bearer realm="f48cf683-1ba8-469a-82b5-930241ed093d",client_id="00000003-0000-0ff1-ce00-000000000000",trusted_issuers="00000001-0000-0000-c000-000000000000@*,D3776938-3DBA-481F-A652-4BEDFCAB7CD8@*,https://sts.windows.net/*/,00000003-0000-0ff1-ce00-000000000000@90140122-8516-11e1-8eff-49304924019b",authorization_uri="https://login.windows.net/common/oauth2/authorize"
x-ms-diagnostics: 3001000;reason="There has been an error authenticating the request.";category="invalid_client"
SPRequestGuid: 3e83a49e-40a8-0000-3740-5cec03406519
request-id: 3e83a49e-40a8-0000-3740-5cec03406519
MS-CV: nqSDPqhAAAA3QFzsA0BlGQ.0
Strict-Transport-Security: max-age=31536000
X-FRAME-OPTIONS: SAMEORIGIN
SPRequestDuration: 25
SPIisLatency: 1
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 16.0.0.8314
X-Content-Type-Options: nosniff
X-MS-InvokeApp: 1; RequireReadOnly
X-MSEdge-Ref: Ref A: 8C79E743EAB84728B1865357085F3AA0 Ref B: LON21EDGE1413 Ref C: 2018-11-21T11:28:12Z
Date: Wed, 21 Nov 2018 11:28:11 GMT

{"error_description":"The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs."}

Has anyone encountered this before?

Answer 1

Two suggestions:

1. First, make sure an Admin has 'Granted' the requested permissions for the relevant app registration in the Azure portal. In the article you linked above, they used a Powershell command to do so. If you are using the Azure portal API, it's a separate button.
2. Also, confirm that the self-signed security certificate was correctly added to the Azure app registration manifest. You can do so by downloading the manifest for the relevant Azure app registration, and opening to view the entries. This article should help: https://blogs.msdn.microsoft.com/bobgerman/2017/06/25/calling-sharepoint-csom-from-azure-functions-part-2/