Getting a 403 Forbidden error accessing the SharePoint _api/Web/SiteUsers

Question

I am working on an app that was registered on the 20-Jan-2021 in Azure AD (via the "App registration" page) which uses the SharePoint REST API (_api/Web/SiteUsers, amongst others) to retrieve user information (from SharePoint online). The app was, and is still, working fine using the tenant id, application id and client secret I got then. A few days ago (9-Apr-2021), I registered a 2nd app in Azure to show a colleague how to set things up. Using that new app's application id and client secret (same tenant id), the application fails with error 403 when I submit a call to _api/Web/SiteUsers (calls to MS Graph APIs work fine using both app ids - it's only the SharePoint api calls that fail). Both registered apps have the same permissions set up - I can't see any difference when I compare them side-by-side. They both have Application permissions for MS Graph API:(Directory.Read.All, Files.Read.All, Sites.Read.All, Group.Read.All) and SharePoint:(Sites.Read.All, User.Read.All), and Delegated permissions for MS GraphAPI:User.Read. All application permissions have been granted admin consent. Both use secret keys. I've visually compared both registered apps in Azure and can't see any differences in any other properties (other than app id, client id, branded name, secret key). Does anyone know if something has changed recently that would cause the earlier app id to work, and not the more recent one? Is there some sort of sync delay between Azure and SharePoint (the issue still persists after 3 days)? Any help/hints would be appreciated. Thank you in advance.

Mm

Decoded token for App ID that works:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
  "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
}.{
  "aud": "00000003-0000-0ff1ce00-000000000000/iplatinum1.sharepoint.com@55379f90-a2a4-4f64-b18d-f3453e934a85",
  "iss": "00000001-0000-0000-c000-000000000000@55379f90-a2a4-4f64-b18d-f3453e934a85",
  "iat": 1618276524,
  "nbf": 1618276524,
  "exp": 1618363224,
  "identityprovider": "00000001-0000-0000-c000-000000000000@55379f90-a2a4-4f64-b18d-f3453e934a85",
  "nameid": "7c331853-01ae-422b-bfe4-7df2d3fdbacf@55379f90-a2a4-4f64-b18d-f3453e934a85",
  "oid": "fa4507cb-dfb1-4ed4-9d06-5fa9ffcb814e",
  "sub": "fa4507cb-dfb1-4ed4-9d06-5fa9ffcb814e",
  "trustedfordelegation": "false"
}.[Signature]

For the one that doesn't:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
  "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
}.{
  "aud": "00000003-0000-0ff1-ce00-000000000000/iplatinum1.sharepoint.com@55379f90-a2a4-4f64-b18d-f3453e934a85",
  "iss": "00000001-0000-0000-c000-000000000000@55379f90-a2a4-4f64-b18d-f3453e934a85",
  "iat": 1618276454,
  "nbf": 1618276454,
  "exp": 1618363154,
  "identityprovider": "00000001-0000-0000-c000-000000000000@55379f90-a2a4-4f64-b18d-f3453e934a85",
  "nameid": "7307b725-738e-4b8c-b898-89486cff95de@55379f90-a2a4-4f64-b18d-f3453e934a85",
  "oid": "08650d87-1a47-436f-a8e1-ee44caa361ee",
  "sub": "08650d87-1a47-436f-a8e1-ee44caa361ee",
  "trustedfordelegation": "false"
}.[Signature]

Answer 1

As pointed out by Michael Han, I had to register the App ID in SharePoint. Once that was done, the access was granted.

Answer 2

As far as I know, Azure AD App Client Secret is blocked by sharepoint online. You need to choose certificate for authentication: https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread

Another workaround is register app in SharePoint site "https://yoursite/_layouts/15/appregnew.aspx". In this way you can sue client secret. https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs