Using the SharePoint CSOM and REST API with Office 365 API via Azure AD

It’s been really exciting to see ISV’s and the community start playing with the new Office 365 APIs. I’ve presented on these at TechEd North America with Thorsten Hans in the SharePoint Power Hour session.

In a nutshell, the Office 365 Developer platform has: the App Model to surface up your business solutions directly within the user interface of the products; and then the Office 365 APIs for you to consume our services from your own standalone web applications or device apps.

The current services available in the Office 365 APIs are: Mail, Contact and Calendar from Exchange, OneDrive for Business and All Sites from SharePoint. There is already a Files API you can call into OneDrive for Business and SharePoint, but not other things like modify SPWebs etc.

One thing to note is that currently the authentication is different. With the App Model, Tenant/Site Collection administrators add the Apps to Office or SharePoint and have to ‘trust’ them. This approach uses the Azure ACS authentication and authorization approach. In this approach, it is trusting the App in the Site Collection/Site that it is added in.

With the Office 365 APIs, tenant administrators have to ‘consent’ that the standalone web application or device apps can have the permissions its asking for. This approach uses the Azure AD authentication and authorization approach. In this approach, it is trusting the application for the user that consented it against all the User data from services that the app asked for.

One really cool thing about the Azure AD authentication is that if you ask for SharePoint Site permissions, you can actually use the Auth Bearer token that Azure AD grants you to call the REST and CSOM APIs. If you only ask for Read access to SharePoint sites, then when you call the REST and CSOM it will enforce it. If you ask for Full Control access to SharePoint sites and the User only has Read to a Site and you try and do something more than that, it will enforce that too.

Using CSOM with the Auth Bearer Token

This is an example method of getting the default list view url using the Azure AD Auth bearer access token.

Credit goes to Rob Howard in engineering for sending me this snippet that I use in my demo.

Using REST with the Auth Bearer Token

This is an example method of getting the announcements using the Azure AD Auth bearer access token.

Credit goes to Kirk Evans for this sample code.

Setting up your Application permission

The standalone web application or device app still needs to go through and do “Add Service connection” and pick the SharePoint Sites permission level and that in the background will then register the Application under that Azure AD instance in your Azure tenant. You could also register the application directly in Azure AD instance and grab the client ID from there.

Connecting your Azure AD instance to Office 365 Tenant

One of the big questions I get is around the Azure AD instance and where to find it and who to log into when you access it in Azure Management Portal. There is a great blog post on this at http://blogs.technet.com/b/ad/archive/2013/09/10/empower-your-office-365-subscription-identity-management-with-application-access-enhancements-for-windows-azure-ad.aspx and also a MSDN article on the two approaches of connecting an existing or using the default one that gets created (log into Azure Management Portal with your Org account) http://msdn.microsoft.com/en-us/library/office/dn736059(v=office.15).aspx .

Wrap Up

There are some great code samples around this on our GitHub area and there are more that I’m rustling up! Others that have been blogging about this are Chakkaradeep from the Visual Studio product group (awesome guy!) Kirk Evans and also SharePoint MVPs Thorsten Hans and Tobias Zimmergren. Also check out the MSDN Code Gallery where there are ASP.NET MVC samples too.

There is already a Windows 8 app in the store that leverages this that Wes Hackett (SharePoint MVP) pointed me to too called Classbook.

Full credit for this code above goes to Rob Howard who is someone I couldn’t do my job at Microsoft without in the Office Developer Program engineering group. I hope this helps with further extending what you can do from standalone web applications and mobile applications against Office 365 services.

6 thoughts on “Using the SharePoint CSOM and REST API with Office 365 API via Azure AD”

    1. I’ll be working on showing how you can use this with Apps for Office to reach into SharePoint Online shortly. The plan is to converge these two authentication mechanisms which will ultimately rock!

  1. Hi Jeremy, thanks for mentioning our classbook App in your blog article – it’s actually from me (Office 365 MVP) and Toni Pohl (Client Dev. MVP) and our awesome developer team. :-) cheers, Martina Grom

Leave a Reply