Using the SharePoint CSOM and REST API with Office 365 API via Azure AD

It’s been really exciting to see ISV’s and the community start playing with the new Office 365 APIs. I’ve presented on these at TechEd North America with Thorsten Hans in the SharePoint Power Hour session.

In a nutshell, the Office 365 Developer platform has: the App Model to surface up your business solutions directly within the user interface of the products; and then the Office 365 APIs for you to consume our services from your own standalone web applications or device apps.

The current services available in the Office 365 APIs are: Mail, Contact and Calendar from Exchange, OneDrive for Business and All Sites from SharePoint. There is already a Files API you can call into OneDrive for Business and SharePoint, but not other things like modify SPWebs etc.

One thing to note is that currently the authentication is different. With the App Model, Tenant/Site Collection administrators add the Apps to Office or SharePoint and have to ‘trust’ them. This approach uses the Azure ACS authentication and authorization approach. In this approach, it is trusting the App in the Site Collection/Site that it is added in.

With the Office 365 APIs, tenant administrators have to ‘consent’ that the standalone web application or device apps can have the permissions its asking for. This approach uses the Azure AD authentication and authorization approach. In this approach, it is trusting the application for the user that consented it against all the User data from services that the app asked for.

One really cool thing about the Azure AD authentication is that if you ask for SharePoint Site permissions, you can actually use the Auth Bearer token that Azure AD grants you to call the REST and CSOM APIs. If you only ask for Read access to SharePoint sites, then when you call the REST and CSOM it will enforce it. If you ask for Full Control access to SharePoint sites and the User only has Read to a Site and you try and do something more than that, it will enforce that too.

Using CSOM with the Auth Bearer Token

This is an example method of getting the default list view url using the Azure AD Auth bearer access token.

To get the access token you have to use this:

Credit goes to Rob Howard in engineering for sending me this snippet that I use in my demo.

Using REST with the Auth Bearer Token

This is an example method of getting the announcements using the Azure AD Auth bearer access token.

Credit goes to Kirk Evans for this sample code.

Setting up your Application permission

The standalone web application or device app still needs to go through and do “Add Service connection” and pick the SharePoint Sites permission level and that in the background will then register the Application under that Azure AD instance in your Azure tenant. You could also register the application directly in Azure AD instance and grab the client ID from there.

Connecting your Azure AD instance to Office 365 Tenant

One of the big questions I get is around the Azure AD instance and where to find it and who to log into when you access it in Azure Management Portal. There is a great blog post on this at and also a MSDN article on the two approaches of connecting an existing or using the default one that gets created (log into Azure Management Portal with your Org account) .

Wrap Up

There are some great code samples around this on our GitHub area and there are more that I’m rustling up! Others that have been blogging about this are Chakkaradeep from the Visual Studio product group (awesome guy!) Kirk Evans and also SharePoint MVPs Thorsten Hans and Tobias Zimmergren. Also check out the MSDN Code Gallery where there are ASP.NET MVC samples too.

There is already a Windows 8 app in the store that leverages this that Wes Hackett (SharePoint MVP) pointed me to too called Classbook.

Full credit for this code above goes to Rob Howard who is someone I couldn’t do my job at Microsoft without in the Office Developer Program engineering group. I hope this helps with further extending what you can do from standalone web applications and mobile applications against Office 365 services.

23 thoughts on “Using the SharePoint CSOM and REST API with Office 365 API via Azure AD”

    1. I’ll be working on showing how you can use this with Apps for Office to reach into SharePoint Online shortly. The plan is to converge these two authentication mechanisms which will ultimately rock!

      1. Hi Jeremy,

        Is there already any sample code or blog about how to communicate with SharePoint Online from Apps for Office (Mail App). As you mentioned here above.


  1. Hi Jeremy, thanks for mentioning our classbook App in your blog article – it’s actually from me (Office 365 MVP) and Toni Pohl (Client Dev. MVP) and our awesome developer team. :-) cheers, Martina Grom

  2. Jeremy,

    All of this relies on the first assumption in your code in the first snippet on line #3 : “” – which is an assumption that no developer can make. Can you talk about how to get past hard-coding URLs? This is a much harder problem than using the APIs themselves.


  3. Hi Jeremy,

    do you have a code example how I can get the access token from the authorizationCodeReceivedNotification?



  4. Hi Jeremy,

    Thanks for the great information from this article.

    I am trying to build an ASP.Net MVC / Web API web app. I intended to host it as an Azure Web Site and Azure Application in the Office 365 Azure Tenant Instance.

    The app will be available as an Office 365 External App (via Azure AD) to the Office 365 users (from App Launcher and My Apps).

    I want my app to be able to access back to the Office 365 resources (Site, Web, List, DocLib, Item, Permissions…).

    Following your article, I see that I can use BOTH CSOM and Office 365 API.

    When trying Office 365 API, I see we only CAN acquire accessToken for Calendar, Contacts, Mail and MyFiles. However, I could not do that for RootSite (SharePoint resources) even on Azure I have granted all possible permissions from my app to Office 365 SharePoint Online.

    This is because when I am debugging, the Discovery Service only have 4 capabilities: Calendar, Contacts, Mail and MyFiles.

    What I really want is the RootSite (the sharepoint bit).

    So the question is: Is the RootSite access available (acquirable accessToken) for Azure App to access Office 365 via Office 365 API and CSOM? If yes please guide me how or point me to anywhere explaining this. If no, will and when Microsoft would likely make it available?

    Another question I have for you is that: Will Office 365 SharePoint Online (Azure App) provide certain Application Permissions (not Delegation Permissions) for other apps to access Office 365 in its own context?

    Thanks a lot,
    Kind regards,

    1. The RootSite is available and it will be returned by teh Discovery Service . Check out the training video on the Discovery service at . The authentication module about Office 365 shows you this.

      The question about apps being able to describe permissions is a question for Azure AD, I’ve not heard of the road map for this but will dig for you and share in a podcast.

  5. Nice article Jeremy!

    One thing that I would like to know is whether it is, or will be possible to create an external web service (IIS or Azure) registered with Azure AD that will authenticate (SSO) with the current SharePoint Online logged in user’s context and callable through JavaScript on the SharePoint page (JSONP?)? It seems like this should be quite a straightforward and common use case to implement. Most of the examples relating to apps are around gaining the SharePoint context/access tokens from the provider hosted app client side API’s and thereby manipulating information on the server.

    I am talking about the reverse situation where the remote web service simply needs to know who the authenticated calling user is and can then call some functionality mapping the calling user to a backend credential store such as an on premise Dynamics CRM installation.

    Having spent some time writing Provider Hosted Apps for SharePoint there is definitely pain around working with IFRAMES, reliance on PostMessage (restricting browser reach), cross domain libraries, App registration etc.

    I believe there are many scenarios that could use this “simpler” approach. If it is possible are there any code samples/walkthroughs around this?

    Many Thanks


    1. We announced CORS support a few weeks ago for the Office 365 API’s using Azure AD auth. You can use the SharePoint REST APIs with CORS now too using Azure AD Auth.

    2. Hello Jes

      You can use Azure websites to host your MVC Web/API controllers. The complete solution will also need to host/serve a page that will issue tokens on demand for AD Authenticated users. This can be done using the new ADAL.JS library.
      Any external HTML/JavaScript page or a simple SharePoint hosted app can request a token for the AD authenticated user. A one hour token with a UPN claim is returned. You can make use of Header ‘Authorization header’ Bearer Token to make AJAX Get/POST calls.
      Your webservice that get using the called will use the provided Token to authenticate and Authorize the logged in user, you will get the logged in user’s UPN (User principal name) that is usually a users office365 email account.

      I have some posts that may help you.

  6. Hi Jeremy,

    Good article, but I’m trying to get my context token and am failing miserably as the (MVC) HttpContext.Session has no keys…
    I’m in an App for Access (in SharePoint).
    Do I need to re-auth?

Leave a Reply