Manipulate sharepoint group membership using REST API from external app

I have an application that is secured via OpenID Connect / Azure AD.
It is a webapp that is not running as part of the Sharepoint Framework.

However, the app does need to interact with SharePoint in order to perform the following tasks :

  • Get all sharepoint groups in a site
  • Get all users in a sharepoint group in a site
  • Add a user to a group in a site
  • Remove a user from a group role in a site

The application already uses the MS Graph API for various other things, but as far as Sharepoint goes Graph is pretty limited and doesn’t cover above use-cases.

So I was looking into the “legacy” Sharepoint API located at {baseUrl}/sites/{siteName}/_api/web/ and found various topics online about how to connect to it using “standard” OAuth2 flows. I would like to use an OAuth2 Client Credentials flow for this.

There are a lot of older posts online that seem to use ACS app-only model that is now disabled by default on new Tenants. So I started looking at Azure AD app-only model which is modern and securer.

So where ACS app-only involved setting up apps (client id / secrets) in Sharepoint itself using https://sitename.sharepoint.com/_layouts/15/appregnew.aspx if I understand correctly we would now be able use an AzureAD app registration with the Sites.FullControl.All scope.

However, when I try to access the legacy sharepoint API with a clientId/secret from an AzureAd app registration,

I initially kept on getting the following errors (depending on the scopes I tried), but that was due to my AzureAD registration using Microsoft Graph / Sites.FullControl.All

enter image description here

  • x-ms-diagnostics: 3001000;reason=”There has been an error authenticating the request.”;category=”invalid_client”
  • 3000003;reason=”Invalid audience Uri
    ‘00000003-0000-0ff1-ce00-000000000000’.”;category=”invalid_client”

When I added the proper SharePoint /Sites.FullControl.App permission, I got this

  • Unsupported app only token

The Azure AD app-only model does mention the creation of a (self-signed) certificate to make it work, making me think this might not work from an external app using the REST API.

Is it possible to use the legacy sharepoint API with tokens retrieved from AzureAD app registrations ?

I might be able to get it work by using the ACS app-only model, using https://accounts.accesscontrol.windows.net/{tenantId}/tokens/OAuth/2 but that would involve enabling CustomAppAuthentication (something I would like to avoid for now)