Using the SharePoint CSOM and REST API with Office 365 API via Azure AD

It’s been really exciting to see ISV’s and the community start playing with the new Office 365 APIs. I’ve presented on these at TechEd North America with Thorsten Hans in the SharePoint Power Hour session.

In a nutshell, the Office 365 Developer platform has: the App Model to surface up your business solutions directly within the user interface of the products; and then the Office 365 APIs for you to consume our services from your own standalone web applications or device apps.

The current services available in the Office 365 APIs are: Mail, Contact and Calendar from Exchange, OneDrive for Business and All Sites from SharePoint. There is already a Files API you can call into OneDrive for Business and SharePoint, but not other things like modify SPWebs etc.

One thing to note is that currently the authentication is different. With the App Model, Tenant/Site Collection administrators add the Apps to Office or SharePoint and have to ‘trust’ them. This approach uses the Azure ACS authentication and authorization approach. In this approach, it is trusting the App in the Site Collection/Site that it is added in.

With the Office 365 APIs, tenant administrators have to ‘consent’ that the standalone web application or device apps can have the permissions its asking for. This approach uses the Azure AD authentication and authorization approach. In this approach, it is trusting the application for the user that consented it against all the User data from services that the app asked for.

One really cool thing about the Azure AD authentication is that if you ask for SharePoint Site permissions, you can actually use the Auth Bearer token that Azure AD grants you to call the REST and CSOM APIs. If you only ask for Read access to SharePoint sites, then when you call the REST and CSOM it will enforce it. If you ask for Full Control access to SharePoint sites and the User only has Read to a Site and you try and do something more than that, it will enforce that too.

Using CSOM with the Auth Bearer Token

This is an example method of getting the default list view url using the Azure AD Auth bearer access token.

To get the access token you have to use this:

Credit goes to Rob Howard in engineering for sending me this snippet that I use in my demo.

Using REST with the Auth Bearer Token

This is an example method of getting the announcements using the Azure AD Auth bearer access token.

Credit goes to Kirk Evans for this sample code.

Setting up your Application permission

The standalone web application or device app still needs to go through and do “Add Service connection” and pick the SharePoint Sites permission level and that in the background will then register the Application under that Azure AD instance in your Azure tenant. You could also register the application directly in Azure AD instance and grab the client ID from there.

Connecting your Azure AD instance to Office 365 Tenant

One of the big questions I get is around the Azure AD instance and where to find it and who to log into when you access it in Azure Management Portal. There is a great blog post on this at and also a MSDN article on the two approaches of connecting an existing or using the default one that gets created (log into Azure Management Portal with your Org account) .

Wrap Up

There are some great code samples around this on our GitHub area and there are more that I’m rustling up! Others that have been blogging about this are Chakkaradeep from the Visual Studio product group (awesome guy!) Kirk Evans and also SharePoint MVPs Thorsten Hans and Tobias Zimmergren. Also check out the MSDN Code Gallery where there are ASP.NET MVC samples too.

There is already a Windows 8 app in the store that leverages this that Wes Hackett (SharePoint MVP) pointed me to too called Classbook.

Full credit for this code above goes to Rob Howard who is someone I couldn’t do my job at Microsoft without in the Office Developer Program engineering group. I hope this helps with further extending what you can do from standalone web applications and mobile applications against Office 365 services.

35 thoughts on “Using the SharePoint CSOM and REST API with Office 365 API via Azure AD”

  1. Hi Jeremy,

    By this we can make a prodiver hosted like app that dosn’t need to go to SP to get context token to use it to get the access token really SP APPs Gold 🙂

    1. I’ll be working on showing how you can use this with Apps for Office to reach into SharePoint Online shortly. The plan is to converge these two authentication mechanisms which will ultimately rock!

      1. Hi Jeremy,

        Is there already any sample code or blog about how to communicate with SharePoint Online from Apps for Office (Mail App). As you mentioned here above.


      2. Hi Jeremy,

        Heres a scenario – have a site provisioning provider hosted app, which I would like to also be able to provision Unified Groups. The provisioning engine itself runs in a WebJob. I’m able to connect to the Graph service using the new Microsoft.Graph objects, however the authentication context is issuing a token which doesn’t have any of the permission I’ve setup on my App (have had to register a seperate app for id/secret etc via Azure AD of course – managing two sets of id/secrets is a wee bit annoying).

        I’m more after validation this scenario is actually possible given I can’t prompt a user for auth via a webjob, I need the job to be able to use the app permissions to provision.

        1. Once everything is hanging off unified API this’ll get easier for sure. Sometimes the frustration around us going from 3 year ship cycles to an MVP model of iterative ships is that the picture is a little sketchy til the dots are all joined. The team totally gets this.

          1. Yeah, it appears app only context flow is not possible using the unified API at this time. Hopefully not too far down the track…

            I understand the challenges around this!

  2. Hi Jeremy, thanks for mentioning our classbook App in your blog article – it’s actually from me (Office 365 MVP) and Toni Pohl (Client Dev. MVP) and our awesome developer team. 🙂 cheers, Martina Grom

  3. Jeremy,

    All of this relies on the first assumption in your code in the first snippet on line #3 : “” – which is an assumption that no developer can make. Can you talk about how to get past hard-coding URLs? This is a much harder problem than using the APIs themselves.


  4. Hi Jeremy,

    do you have a code example how I can get the access token from the authorizationCodeReceivedNotification?



  5. Hi Jeremy,

    Thanks for the great information from this article.

    I am trying to build an ASP.Net MVC / Web API web app. I intended to host it as an Azure Web Site and Azure Application in the Office 365 Azure Tenant Instance.

    The app will be available as an Office 365 External App (via Azure AD) to the Office 365 users (from App Launcher and My Apps).

    I want my app to be able to access back to the Office 365 resources (Site, Web, List, DocLib, Item, Permissions…).

    Following your article, I see that I can use BOTH CSOM and Office 365 API.

    When trying Office 365 API, I see we only CAN acquire accessToken for Calendar, Contacts, Mail and MyFiles. However, I could not do that for RootSite (SharePoint resources) even on Azure I have granted all possible permissions from my app to Office 365 SharePoint Online.

    This is because when I am debugging, the Discovery Service only have 4 capabilities: Calendar, Contacts, Mail and MyFiles.

    What I really want is the RootSite (the sharepoint bit).

    So the question is: Is the RootSite access available (acquirable accessToken) for Azure App to access Office 365 via Office 365 API and CSOM? If yes please guide me how or point me to anywhere explaining this. If no, will and when Microsoft would likely make it available?

    Another question I have for you is that: Will Office 365 SharePoint Online (Azure App) provide certain Application Permissions (not Delegation Permissions) for other apps to access Office 365 in its own context?

    Thanks a lot,
    Kind regards,

    1. The RootSite is available and it will be returned by teh Discovery Service . Check out the training video on the Discovery service at . The authentication module about Office 365 shows you this.

      The question about apps being able to describe permissions is a question for Azure AD, I’ve not heard of the road map for this but will dig for you and share in a podcast.

  6. Nice article Jeremy!

    One thing that I would like to know is whether it is, or will be possible to create an external web service (IIS or Azure) registered with Azure AD that will authenticate (SSO) with the current SharePoint Online logged in user’s context and callable through JavaScript on the SharePoint page (JSONP?)? It seems like this should be quite a straightforward and common use case to implement. Most of the examples relating to apps are around gaining the SharePoint context/access tokens from the provider hosted app client side API’s and thereby manipulating information on the server.

    I am talking about the reverse situation where the remote web service simply needs to know who the authenticated calling user is and can then call some functionality mapping the calling user to a backend credential store such as an on premise Dynamics CRM installation.

    Having spent some time writing Provider Hosted Apps for SharePoint there is definitely pain around working with IFRAMES, reliance on PostMessage (restricting browser reach), cross domain libraries, App registration etc.

    I believe there are many scenarios that could use this “simpler” approach. If it is possible are there any code samples/walkthroughs around this?

    Many Thanks


    1. We announced CORS support a few weeks ago for the Office 365 API’s using Azure AD auth. You can use the SharePoint REST APIs with CORS now too using Azure AD Auth.

    2. Hello Jes

      You can use Azure websites to host your MVC Web/API controllers. The complete solution will also need to host/serve a page that will issue tokens on demand for AD Authenticated users. This can be done using the new ADAL.JS library.
      Any external HTML/JavaScript page or a simple SharePoint hosted app can request a token for the AD authenticated user. A one hour token with a UPN claim is returned. You can make use of Header ‘Authorization header’ Bearer Token to make AJAX Get/POST calls.
      Your webservice that get using the called will use the provided Token to authenticate and Authorize the logged in user, you will get the logged in user’s UPN (User principal name) that is usually a users office365 email account.

      I have some posts that may help you.

  7. Hi Jeremy,

    Good article, but I’m trying to get my context token and am failing miserably as the (MVC) HttpContext.Session has no keys…
    I’m in an App for Access (in SharePoint).
    Do I need to re-auth?

  8. can we use OFFICe 365 API with Windows Forms Application.
    I am not able to use it.
    Is it available for win form also..

    1. “I am not able to use it”…what are you unable to use?

      The Add Connected Service capabilities are there in Visual Studio. follow that wizard through for Office 365 APIs and it’ll wire up your project appropriately to get a token and then you can use that token to call those APIs.

      1. Hi Jeremy ,
        First of all thanks for response.
        i have configured all steps.
        my application is configured and evem it is added into azure directory automatically.
        then i also modified manifiest file.
        provided sufficient rights for azure manangement.
        but when i run code at that time i am getting exception
        “Application with identifier ***** not found in directory named ****

        Can u help me to figure of what is wrong?

        1. Can you test in an in private browser and ensure you are using the correct tenant credentials to log in.

  9. Jeremy, I would like to use this in webforms in a multi-tenant app. I have not found a single working sample out there. I have a working version up and can read/send email, etc., but can’t seem to figure out how to access sharepoint using traditional .net csom and the auth token. I note that in the newest release of Azure Tools, one can get the token using TokenCache.DefaultShared.ReadItems().FirstOrDefault().AccessToken;

    Unfortunately, using that token and GetClientContextWithAccessToken (from Office Toolkit) always gives a 401 error. Furthermore, using your approach above, I get the same 401 error. It appears that the token isn’t sufficient for sharepoint.

    Do you know anyone that has created something like this? Webforms is getting no love in this arena.

    1. All our samples encourage ASP.NET MVC and not ASP.NET Web Forms for Office 365 APIs. This is really due to demand of MVC over Web Forms. But it should be very similar. IF you use the Add Connected SErvices wizard it’ll do all the scaffolding for you. Then the actually code calling the APIs via the .NET SDK is the same. Take a look at the on-demand training available here

  10. Hi Jeremy
    When i try to use the token with CSOM (ClientContext) i receive a 403 error, however if use REST it works fine.
    Do you know what i might be missing?

Leave a Reply