cancel
Showing results for 
Search instead for 
Did you mean: 

Graph API - How to use this authentication method.

VIJAY__KUNWAR
Level 3

Hi All,

Can someone show us example how exactly we can find the drive id, Site Id and File Id for executing the Graph API skillset for SharePoint. May be by using Delegating Site access.

Though we are already using API skillset for SharePoint but we need to use modern authentication which I don't understand what exactly is it. According to me its Graph API only. So if someone can explain me and provide examples how we can use this would be really great.

I need example please. Thanks.

Regards,
Vijay



------------------------------
VIJAY KUNWAR
SYSTEMS ENGINEER
TCS
Asia/Kathmandu
------------------------------
19 REPLIES 19

ewilson
Staff
Staff
Hello @VIJAY KUNWAR,

You've really got two different questions here. The first seems to be how do you use the SharePoint connector in general while the second is how do you set up Delegated access authentication.

Let's start with the first question about using the connector. From the start, you should be able to execute any action that requires the SharePoint site ID because the site ID can be specified as either the user-friendly FQDN of the site (ex. contoso.sharepoint.com) or the sites full ID which is a composite of the following values:

  • Site collection hostname (contoso.sharepoint.com)
  • Site collection unique ID (GUID)
  • Site unique ID (GUID)
If you want to get the full (i.e. composite) ID of the site you can call the Get Root Site action on the connector. Alternatively, you can call the Get Site by Site ID action and pass in the FQDN of the site.

As for the other values (Drive ID, File ID, etc), it's a matter of calling various actions on the connector and then iterating over the response data. For example, the get a list of Drive ID's of your root SharePoint site you could call the Get Root Site action followed by the Get All Drives action. Alternatively, you could just call Get All Drives directly, or even Get Default Drive Details if there's a single drive associated with the site, since you already know the FQDN of your SharePoint site.

Once you have the ID of the specific drive associated with your SharePoint site, you'll want to call Get Root Folder ID for the specific SharePoint site and drive. This will give you the top-level folder ID for the drive. From there, you can call Get Drive Items to get a collection of all the contents in that specific folder. Then you would iterate over that collection and drill into any other child folders you may be interested in.

On to the second question, authentication. There are two token types available when using the Microsoft Graph - Authentication VBO. They are Application Access and Delegated Access. Application Access tends to be the easier method and is meant for service-to-service or machine-to-machine communication. It's a similar idea to what are known as Service Accounts on Windows.

Delegated Access, on the other hand, is where you're requesting access on behalf of a specific user account. In other words, your digital worker is going to work on behalf of a specific user (ex John Doe). If you look through the Graph API reference, you'll see many examples of actions that are only supported with Delegated Access. To use Delegated Access you must provide an OAuth2 Client ID and Client Secret as well as the Active Directory Username and Password of the user account you are trying to work on behalf of. 

7832.png
Of course you also have to pass in your Microsoft 365 tenant ID. All of this information can be collected from the Microsoft 365 AD console. If you don't have direct access to that, you'll have to request the information from your IT team. This includes having them set up an application definition for you in AD. Below are some screenshots of a test application definition I have created in my Azure sandbox along with some of the Graph API permissions I applied to that application so that it could work with my SharePoint sites.

7834.png
7835.png
7836.png
7837.png
Hope this helps. If not, let me know what specific questions you have.

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

Great Explanation @ewilson, Thanks, this will help a lot of people! I'm sure​

------------------------------
Emerson Ferreira
Cons, Intelligent automation
Avanade Brasil
Recife
+5581988869544
If my answer helped you? Mark as useful!
------------------------------
Sr Cons at Avanade Brazil

Hi Eric,

Thanks for the quick reply.

I guess I have already gone through the Microsoft sites and Blue prism for understanding this how the Graph API works here. But after every try its getting more confused.

First thing - Is username and password for delegate site should be of Sharepoint particular Username and Password who have access to SharePoint or do they have to go via Azure directory access.

Second - Getting Site id, File Id and Drive Id how exactly this can be used via the Blue prism VBO. The steps where and all it required changes.

Third - Is the GRAPH API the only modern authentication way for accessing Sharepoint via a Azure directory. Why Azure is required? Can we by pass this or is there any other method available for this?

I am already using Sharepoint skillset using Client and secret Id generating a Bearer token and working with sharepoint site. Is that not the modern way as we are using Bearer Token?

Fourth -  If nothing applies here. Can you please share me some examples or demo which can help me understand how exactly we can make this work with Blue prism VBO's to download and perform other CRUD operations with this API.

Thanks for all the help.

Regards,
Vijay

------------------------------
VIJAY KUNWAR
SYSTEMS ENGINEER
TCS
Asia/Kathmandu
------------------------------

Hello @VIJAY KUNWAR,

​If you're trying to get a delegated user token then it must be for a user that's defined in the Azure AD. Microsoft Graph is based on Azure. All of the permissions are governed by the associated Azure AD of your specific tenant. Microsoft Graph is not an API that can be used with traditional/legacy SharePoint on-prem deployments.

I don't understand your second question. I laid out, in my previous response, the various actions that can be used for collecting that information. When you call those actions you'll receive output data from Graph, typically in the form of a Blue Prism Collection or a JSON blob (aka Text). As an example, if I get my auth token and then I call the action Get Root Site it will return a Collection of data containing information about my root SharePoint site as pictured below:

7853.png
As for your third question, Microsoft has made it clear that the Graph API is their API of choice, moving forward, for working with Azure/Microsoft 365 services including Excel, Outlook, Teams, SharePoint, etc. It's not a complete API yet though. Microsoft still haven't added support for Word, PowerPoint, Visio, etc yet.

If you already have code in place that's getting a token for you then you should be able to pass that token into the various actions on the SharePoint connector, assuming you've granted the appropriate SharePoint permissions to the the specific application definition you're Client ID and Client Secret are tied to. If all you're using to get the token is Client ID and Client Secret then what you're getting is an Application Access Token (yes this is a type of Bearer token).

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

Hi Eric. Thank you for this detailed post. I'm in the midst of getting my head around it! 

My organisation requires 2FA to access SharePoint, and I believe that this is causing me an issue in getting an Access Token back when using the Delegated Access action within the Authenticator VBO (which is required for the task I have in mind). I assume (at this point I feel it pertinent to mention that I know very little of Azure/AD, so if this is a nonsense question, please let me know) this means that my username and password (input parameters for the action 'Get Delegated Access Token') are insufficient. However I'm unsure if there's a way within Blue Prism to provide this 2FA. Does that make sense? Is there a workaround 'Blue Prism-side' or do I need to petition my IT department to allow certain access rights for me and any virtual workers? If so, what are those rights?

Many thanks again for helping me (and others) understand this - albeit very slowly!

------------------------------
John Hammond
------------------------------

Thanks Eric,

This makes some sense.

Can you please clarify these as well-

1- As an example, if I get my auth token and then I call the action Get Root Site it will return a Collection of data(Which VBO action is having these options as I haven't seen any of these)

2-  If all you're using to get the token is Client ID and Client Secret then what you're getting is an Application Access Token (yes this is a type of Bearer token).
Is this only Basic authentication not a modern authentication method?

Thanks for all the help.

Regards,
Vijay



------------------------------
VIJAY KUNWAR
SYSTEMS ENGINEER
TCS
Asia/Kathmandu
------------------------------

Hi @john.hammond,

There's nothing in the Graph API that specifically supports 2FA/MFA for authentication. MFA typically involves a visual component, specifically opening the browser to a certain Microsoft authentication page. So the recommendation is that any user accounts you're trying to use under Delegated permissions with Graph should not have 2FA/MFA enabled on them. Ideally, you would have robot-specific accounts created in Azure AD for your digital workers so you don't have to disable MFA for human users if your company standard is to have it enabled.

You can read more about Graph and it's authentication methods here.

FWIW - There are 2FA/MFA connectors available on the DX. These are targeted at processes that need to perform 2FA/MFA as part of a UI-based automation. There may be a way to leverage the 2FA/MFA connectors with the Graph Authentication connector we have. It would require changing the grant_type that's defined in the VBO and then extending the workflow a bit as there would be more processing that needs to take place. I'll have to think about this. 🤔

There's also a separate connector on the DX that supports MSAL.NET which can be used to request access tokens using client certificates, if that's of any interest to you.

Cheers,


------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

@ewilson,

Any answers for my last query please?

Regards,
Vijay​

------------------------------
VIJAY KUNWAR
SYSTEMS ENGINEER
TCS
Asia/Kathmandu
------------------------------

@VIJAY KUNWAR,

You mentioned that you're already using a Blue Prism SharePoint skill. Perhaps you can elaborate on where you got that and what it is? The connector(s) I'm referring to area available on the Digital Exchange. You can find them at the links below:

https://digitalexchange.blueprism.com/dx/entry/3439/solution/microsoft-graph-api---sharepoint
https://digitalexchange.blueprism.com/dx/entry/3439/solution/microsoft-graph-api---sharepoint-upload-sessions
https://digitalexchange.blueprism.com/dx/entry/9648/solution/microsoft-graph-api---download-files

HTTP Basic authentication, bearer authentication (sometimes referred to as API key), and others rely on the use of the Authorization HTTP header. This is part of the general authentication framework defined in the HTTP specification. You can find a list of the supported authentication schemes here. This does not mean these are all Basic though. Basic is just one schema that uses the general HTTP authentication framework.​

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------