///

Call the SharePoint REST API from Dynamics 365 (Business Central)

7 mins read

After a colleague from the Dynamics 365 team ran into some issues when willing to authenticate against SharePoint. I decided to write him a tutorial as my first blog post.

This blog post will show you how you can authenticate against the SharePoint REST API from Dynamics 365 (in this case Business Central, but can be any Dynamics 365 app).

What do we need to do to achieve our wanted goal ?

  • Create an Azure AD app
  • Grant delegated permissions for the Azure AD app on SharePoint
  • Request an access token for SharePoint in the current browser session from Dynamics 365
  • Call the SharePoint REST API with the access token provided

Why do we need all this ? We are already logged in into O365 ?

  • We can’t call directly from Dynamics 365 to SharePoint with our browser cookie due to CORS issues
  • So there is an access token needed if we are doing CORS calls to the SharePoint REST api

1. Let’s start with the creation of the Azure AD app. So go to https://portal.azure.com and create your azure AD app.

2. Next we’ll configure the redirect URI, this should be a URI on the same domain as you are in on (Business Central) in Dynamics 365. So we set the following URL as redirect URI https://businesscentral.dynamics.com/. This is an important one, make sure this domain is not a cross origin domain from where you want to get the access token. Otherways this process will not work. This redirect URI is important for a step later in our process. Where we send a request for the SharePoint access token.

3. Enable the implicit grant flow, in the Azure AD app you just created, by selecting the ‘Access tokens’ option in the ‘Authentication’ tab. This option is needed to be able to request an access token through this azure AD app. Which is what we need in this case. Make sure you click ‘Save’ after ticking the box.

4. After the implicit grant flow for access tokens is enabled and the redirect URI is set correctly. We only need to do one more thing before our Azure AD app is ready to provide us with a valid access token. Set the delegated API permissions for SharePoint.

5. In the tab ‘API permissions’ click ‘Add permission’ and select the SharePoint permission tile. Select ‘delegated’ as we will request an access token on behalf of the current logged in user. You’ll see that I am selecting a lot of permissions. Which isn’t really a problem, as the actual permissions of the final token it will generate, does only have the permissions that the current user has. The token will not give full control to all sites if the current logged in user doesn’t have full control of all sites.

6. After adding the delegated permissions for SharePoint. Press ‘Grant admin consent for …. ‘. This will make sure that other users that will request an access token are not seeing a popup / consent before they get an access token.

7. Go to Dynamics 365 and run the javascript below to catch the access token from an iframe. Pay attention to the URI that we will put into the iframe.

var iframe = document.createElement("iframe");
iframe.style.display = "none";

iframe.onload = function(){ 
    var url = new URL(this.contentWindow.location.href);
    url.search = this.contentWindow.location.hash.substring(1);
    var accesstoken = url.searchParams.get("access_token");
    console.log(accesstoken); 
};

//IMPORTANT - complete all the parameters with the information below this code box
iframe.src = "https://login.microsoftonline.com/{tenant_id}/oauth2/authorize?client_id={azure_ad_app_id}&response_type=token&redirect_uri={redirect_uri}&resource={sharepoint_url}&prompt=none&login_hint={currentUserMail}";

document.body.appendChild(iframe);
  • tenant_id = GUID of your tenant, can be found under the application ID of your Azure AD app in the overview. Also known as Directory ID.
  • azure_ad_app_id = Application ID of your Azure AD app. You can find this in the overview of your Azure AD app.
  • redirect_uri = The redirect URI we put into the azure AD app. This needs to be an exact match
  • sharepoint_url = the root site collection URL of SharePoint e.g. https://spdemo.sharepoint.com
  • login_hint = the current user mail address, this value is dynamic so we should change this based on the current logged in user.

8. So what we are basically doing is using an iframe to pass the current browser cookie into the request. So the OAuth flow knows we are authenticated in O365. After the authentication at login.microsoftonline.com, it will redirect us and provide us with an access token. Which we are able to grab of the iframe with the ‘onload’ method on the iframe.

9. You now have your accesstoken variable inside your javascript. Ready to pass this to PNP js or a plain SharePoint REST request. I advise you to use the PNP js library as it is much easier syntax to understand. I’ll update this blog post later on to extend this tutorial with the PNP js library to do SharePoint REST calls.

4 Comments

  1. Long time supporter, and thought I’d drop a comment.

    Your wordpress site is very sleek – hope you don’t mind
    me asking what theme you’re using? (and don’t mind if I
    steal it? :P)

    I just launched my site –also built in wordpress like yours– but the theme slows (!) the site down quite a bit.

    In case you have a minute, you can find it by searching for “royal cbd” on Google (would appreciate any feedback) – it’s still in the works.

    Keep up the good work– and hope you all take care
    of yourself during the coronavirus scare!

  2. Hello,
    First thanks for your blog and your help to Business Central community.
    In this article, you specify run javascript in Business Central. How can I do this ?
    using WebPageViewer or need to create own add-in ?
    I found system codeunit Oauth (in v16), is it a way to get accessToken ?

    Best regards,

Leave a Reply

Your email address will not be published.

Next Story

Setup, test and debug an Azure AD protected Web API - ASP.NET