Tag Archives: Teams

Access SPO Site Programmatically via MS Graph API and SharePoint API

5 Replies

Scenario

You are a software developer. Your company uses Microsoft Office 365 (SharePoint, Teams etc.). The need is to work with a specific site collection programmatically (from code – Python, C#, Java, PowerShell, JavaScript etc.) – e.g. upload/download documents, update list items, search etc.

The code must run without user interaction (unattended, aka daemon app). Sometimes this is also called “SharePoint Automation”.

The solution is based on a new Graph API feature – Sites.Selected and a classic SP-Only app.

Solution

  1. Register an Azure App and configure it as usual.
    Select API Permissions blade and add two permissions:
    – Microsoft Graph -> Applications Permissions -> “sites.selected
    – SharePoint -> Applications Permissions -> “sites.selected
  2. Request “Grant admin consent” from a tenant/global admin
  3. Request SharePoint admin to run PowerShell code (e.g. this one) to assign proper permissions to your azure app for a specific site collection (consider site owner consent)
  4. (optionally) Provide SharePoint API permissions:
    (require Site Collection Owner/Admin account) – use
    https://YourTenant.sharepoint.com/teams/YourSite/_layouts/15/appinv.aspx
    to add SharePoint API permissions to your app. E.g. full control permissions to site collection would be
<AppPermissionRequests AllowAppOnlyPolicy="true">  
   <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" 
    Right="FullControl" />
</AppPermissionRequests>

Consider minimal permissions (e.g. Right=”Read” see more with Sumit)

Problem Solved

  • you get access to one and only one site collection (“least privilege” principal)
  • you get both – SharePoint API and Microsoft Graph API permissions to SharePoint
  • you can use app secret or certificate to authenticate – depending on what are your security requirements

Note: if your scenario require authenticated user present – the solution would be a little different: Connect-PnPOnline Interactive with Client App Id

Update:

Sites.Selected API MS Graph permissions was introduced by Microsoft in 2021. It was a huge step forward, but still devs were limited with MS Graph API against SharePoint.
So devs had to use AppInv at site level to provide ACS permissions to their apps to use SharePoint CSOM and REST APIs.
Recently Microsoft introduced Sites.Selected SharePoint API permissions for registered Azure Apps! So now devs should be fully happy without ACS-based permissions AppInv.aspx. (See more here on disabling SP Apps Only SPNs)

Thanks to Leon Armston and Scott Murdock

Update 2:

Microsoft announced end-of-life for ACS permissions, so we’d need to avoid ACS permissions for new development.

References:

How to find a public team in Microsoft Teams not knowing exact name

Quick and simple answer: use SharePoint Search center or Microsoft Search, (or Bing if it is integrated).

Detailed explanation on how to find a public Team

In Microsoft Office 365, under MS Teams, there are 3 types of teams:

  • Private team
  • Public team
  • Org-wide team

Private team: you can only join the team if you are invited or know the team code.
SharePoint site behind the private team is shared only to members – not for everyone. You cannot see team name or description or content until you are team member (details). You are not able to search for the team name or content.

Public team: you can join the public team if you wish. The site behind the public team is shared with everyone except external users, so you can see public team name and description, but from MS Teams (desktop or web application) you cannot see public team content until you are team member.

Org-wide team: you are joined the team automatically (details)

From Teams – you can click on “Join or create a team” and you should be able to see some public teams (but not all):

See how Microsoft describes it – Find and Join a team

There is a “Search teams” box at the top right,
so what if you are looking for a specific public team (not in the list) …

Scenario 1

You know exact team name or at least some first letters.
Solution: You are lucky. Just start typing team name in search bar at top right and hit “enter”- you will see shortened list of public teams matching your search criteria:

NB: do not use wildcards, it will not work:

NB: do not use top search bar, it will not work:

Scenario 2

You want to join a public team, but you do not know exact team name.
You know (or guess) something about the team, like

  • part of the team name
  • part of the team description
  • some keywords from team content files

Unfortunately, in this case both great Microsoft technologies – Search and Team – fail. You will not be able to find a public team:

What Microsoft says

Actually Microsoft does not have a solution and just did not provide workaround:
here is the concern “Search for a public team WITHOUT providing the exact name” with no answer from Microsoft.

Solution

Just use SharePoint search of Bing Search or Office.com – any other plain search wherever you can.
SharePoint site is created once a team is created to store actual content. If the team is public – SharePoint site behind will be accessible for everyone.

For public teams – SharePoint site has “Everyone except external users” by default in “Members” group:

which means literally “Everyone except external users” has access to the site with “Edit” permissions.

SharePoint search is security-trimmed, i.e. you will see the site content in search results only if you do have access to the site. So just go to the SharePoint landing page or SharePoint search center of Office.com and search for what you know or guess about the team:

You can use all the power of SharePoint search (wildcards, refiners, keyword query language KQL etc)

Once you found something – you can go to the SharePoint site:

Now from the site – look at the site name and hover the mouse over the site name – you’ll see pop-up window.
Now you know exact team name – and you can search for the team under Teams,
or, if you are so lucky you see “Join” button – just join the team.click site title or hove over the site title:

One moment – you cannot see team’s chat messages in SharePoint, as chats are kept in Azure. But you can search for chat content after you joint the team.

Somehow both – SharePoint Search and Teams Search are not working against site/team description. Hopefully this bug will be addressed.

You can also search for site Url in teams.
When you create a team – Office 365 generates a short team name (removes spaces and adds numbers if the team name is not unique; e.g. if the team name “Test” you might have “test381” as a short name, but if the team name is “This Is My Unique Team” – short name might be “ThisIsMyUniqueTeam”).
After you can change team name and/or SharePoint site name.
Team search under MS teams work for both names – short name initially assigned (kept as site specific Url) and new team name. But only starting with the beginning of the string.

Video tutorial

What is the correct way of searching for a Public Team in Microsoft Teams

Related articles:

p.s. Thanks to “Birds of Kazakhstan” for pictures

btw, there is a good video tutorial on how to find a public team in Office 365 using full-text search