Download File from Secure Sharepoint using Rest API - AudienceUriValidationFailedException

Question

I am trying to download a secure file from our company's secure SharePoint. I have performed the following steps, and I still receive an AudienceUriValidationFailedException when trying to download.

Did I miss a step? Am I forgetting something? Using the wrong client secret?

Here is my process:

1. I created an app registration on the Azure portal

2. I created a client secret under the registered app

3. I add the application to my company SharePoint using the https://[COMPANY NAME]-admin.sharepoint.com/_layouts/15/appinv.aspx URL format. I use the "Application (client) ID" string from the Azure app registration. I click the "Lookup" button, and the Title field auto-populates

4. I click "create", and then "trust it"

5. Using Postman, I used a POST request to get an access token

   • The content in red is taken from "Directory (tenant) ID"
   • The orange is from "Application (client) ID"
   • The green is from the "Value" column of the secret I created in step 2

6. I use the token it returns to download the file from SharePoint

Answer 1

The error AudienceUriValidationFailedException occurred because you generated an access token for Microsoft Graph and used it in SharePoint requests.

To resolve the error, make use of the below Graph API query to download the file from the site:

GET https://graph.microsoft.com/v1.0/sites/<siteID>/drives/<doclib driveID>/root/children/<filename>

I have one document library with a logo.jpg file in my SharePoint site like below:

To download this file via a REST API using bearer token, I registered an Azure AD application and added API permissions as below:

Then I generated an access token via Postman with the below parameters:

POST https://login.microsoftonline.com/tenantID/oauth2/v2.0/token
client_id:appID
client_secret:secret
scope: https://graph.microsoft.com/.default
grant_type:client_credentials

Response:

I used this token in running the below Graph query and got a file download link of logo.jpg in response like this:

GET https://graph.microsoft.com/v1.0/sites/<siteID>/drives/<doclib driveID>/root/children/<filename>

Response:

When I accessed the download URL from the response in my browser, the file downloaded successfully.

You can make use of the below graph query to get the ID of your site:

GET https://graph.microsoft.com/v1.0/sites/root:/sites/<sitename>

Response:

Similarly, you can use the below query to get the Drive ID of a document library:

GET https://graph.microsoft.com/v1.0/sites/<siteID_from_above_response>/drives

Response:

Answer 2

If you're going to use Sharepoint REST API, in get token step use scope https://<tenantname>.sharepoint.com/.default. This should fix your issue for the current configuration, and you'll be able to use Sharepoint REST API (docs).

But if you want to use Graph API (where scope is that one you have in screenshot in step 5) (docs), instead of step 3,4 you should add to your app registered in Azure AD > API Permissions > Application > Microsoft Graph API > select specific permissions you may need (user.read, mail.read, file.readwrite etc)

you may also use Delegated level of permissions, but in this case the way of get access token is different, not client_credentials