Postman - Microsoft Online Authentication: Difference between revisions

From PiRho Knowledgebase
Jump to navigationJump to search
Dex (talk | contribs)
 
Dex (talk | contribs)
No edit summary
 
Line 3: Line 3:
[[Category:SharePoint]]
[[Category:SharePoint]]
[[Category:OAuth 2.0]]
[[Category:OAuth 2.0]]
Reference: [[https://sharepoint.stackexchange.com/questions/236286/sharepoint-online-rest-api-authentication-in-postman StackExchange: SharePoint Online REST API Authentication In POSTMAN]]
This article explains how to authenticate against Microsoft Online services — including SharePoint Online — using Postman. It focuses on OAuth 2.0 flows, how Azure AD token endpoints work, and how to obtain and reuse access tokens when testing Microsoft 365 or Graph‑based integrations.
 
== Introduction ==
Microsoft Online services use Azure Active Directory (Azure AD) as their identity provider.
When testing APIs with Postman (including SharePoint REST, Microsoft Graph, or custom Azure‑secured APIs), you must authenticate using one of Microsoft’s OAuth 2.0 flows.
 
This article provides a practical, step‑by‑step guide to generating access tokens in Postman and using them to call Microsoft Online endpoints.
 
== When You Need This ==
* Testing SharePoint Online REST API calls
* Testing Microsoft Graph
* Developing custom integrations or automation
* Reproducing authentication issues
* Creating prototype workflows without writing code
 
== Prerequisites ==
Before authenticating in Postman, you need:
* An Azure AD tenant (Microsoft 365)
* A registered Azure AD application
* OAuth 2.0 client details:
  * Tenant ID
  * Client ID
  * Client Secret (if using Client Credentials)
* The correct Redirect URI for Postman
* Appropriate API permissions (Graph, SharePoint, etc.)
 
== Registering a Postman App in Azure AD ==
To authenticate using OAuth 2.0, first register an application in Azure AD:
 
=== Steps ===
# Go to the Azure Portal → Azure Active Directory → App registrations.
# Select '''New registration'''.
# Name it something like: Postman API Tester.
# Redirect URI:
  * For interactive authentication (Auth Code Flow): https://oauth.pstmn.io/v1/callback
# After creation, note:
  * Application (client) ID
  * Directory (tenant) ID
# Under Certificates & Secrets, create a new Client Secret (if required).
# Under API Permissions, add the permissions required by your test scenario.
 
== Choosing the Right OAuth Flow ==
Microsoft supports several OAuth flows, but for Postman, two are normally used:
 
=== 1. Authorization Code Flow (Interactive) ===
* Requires user sign‑in
* Uses Postman’s browser callback handler
* Good for testing delegated permissions
* Ideal for SharePoint REST or Graph calls “as a user”
 
=== 2. Client Credentials Flow (App‑Only) ===
* No user interaction
* Uses your Client Secret to obtain tokens
* Good for service apps, background jobs, automation
* Works with SharePoint App‑Only ACS or Graph Application permissions
 
== Getting an Access Token in Postman ==
=== Create a New Postman Request ===
# Open Postman
# Create a new request
# Navigate to the Authorization tab
# Set the type to: OAuth 2.0
 
=== Configure the Token Request Details ===
 
; Field ; Value
; Grant Type ; Authorization Code OR Client Credentials
; Callback URL ; https://oauth.pstmn.io/v1/callback
; Auth URL ; https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/authorize
; Access Token URL ; https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/token
; Client ID ; Your Azure AD Application ID
; Client Secret ; (Leave empty for Auth Code Flow unless using a confidential client)
; Scope ; Depends on API
 
=== Example Scopes ===
* Microsoft Graph: https://graph.microsoft.com/.default
* SharePoint Online: https://<TENANT>.sharepoint.com/.default
* User delegated scope example: openid profile offline_access
 
=== Requesting the Token ===
# Click Get New Access Token
# Sign in when prompted (Auth Code Flow)
# Postman retrieves and stores the token
# Click Use Token to attach it to your request
 
== Calling SharePoint Online REST API ==
Example:
 
GET https://<tenant>.sharepoint.com/_api/web/lists
 
Ensure your Authorization header contains:
Authorization: Bearer <access_token>
Accept: application/json;odata=nometadata
 
== Calling Microsoft Graph ==
Example:
GET https://graph.microsoft.com/v1.0/users
 
Attach the token as before.
If permissions include User.Read.All or Directory.Read.All, results will be returned.
 
== Troubleshooting ==
=== “Invalid client secret” ===
* Ensure you generated a Client Secret
* Ensure it has not expired
* Ensure no whitespace was copied accidentally
 
=== “Insufficient privileges” ===
* API permissions must be granted
* Some permissions require Admin Consent
 
=== “redirect_uri_mismatch” ===
* Ensure the redirect URI in Azure matches Postman exactly
* Use: https://oauth.pstmn.io/v1/callback
 
=== “resource not found” errors ===
Microsoft Graph and SharePoint Online use different resource identifiers.
Ensure you request the correct scope for each API.
 
== Notes on SharePoint ACS vs Azure AD ==
Historically, SharePoint Online supported ACS (App-Reg / App-Inv).
New development should use Azure AD and Microsoft Graph.
However, ACS still works for many legacy scenarios — Postman can authenticate using either method.
 
== Related Articles ==
* [[OAuth 2.0 Overview]]
* [[SharePoint Online – REST API Guide]]
* [[Azure AD Application Registrations]]
* [[Microsoft Graph – Getting Started]]
 
== Reference ==
* StackExchange: SharePoint Online REST API Authentication In POSTMAN

Latest revision as of 16:21, 14 March 2026

This article explains how to authenticate against Microsoft Online services — including SharePoint Online — using Postman. It focuses on OAuth 2.0 flows, how Azure AD token endpoints work, and how to obtain and reuse access tokens when testing Microsoft 365 or Graph‑based integrations.

Introduction

Microsoft Online services use Azure Active Directory (Azure AD) as their identity provider. When testing APIs with Postman (including SharePoint REST, Microsoft Graph, or custom Azure‑secured APIs), you must authenticate using one of Microsoft’s OAuth 2.0 flows.

This article provides a practical, step‑by‑step guide to generating access tokens in Postman and using them to call Microsoft Online endpoints.

When You Need This

  • Testing SharePoint Online REST API calls
  • Testing Microsoft Graph
  • Developing custom integrations or automation
  • Reproducing authentication issues
  • Creating prototype workflows without writing code

Prerequisites

Before authenticating in Postman, you need:

  • An Azure AD tenant (Microsoft 365)
  • A registered Azure AD application
  • OAuth 2.0 client details:
 * Tenant ID
 * Client ID
 * Client Secret (if using Client Credentials)
  • The correct Redirect URI for Postman
  • Appropriate API permissions (Graph, SharePoint, etc.)

Registering a Postman App in Azure AD

To authenticate using OAuth 2.0, first register an application in Azure AD:

Steps

  1. Go to the Azure Portal → Azure Active Directory → App registrations.
  2. Select New registration.
  3. Name it something like: Postman API Tester.
  4. Redirect URI:
  * For interactive authentication (Auth Code Flow): https://oauth.pstmn.io/v1/callback
  1. After creation, note:
  * Application (client) ID
  * Directory (tenant) ID
  1. Under Certificates & Secrets, create a new Client Secret (if required).
  2. Under API Permissions, add the permissions required by your test scenario.

Choosing the Right OAuth Flow

Microsoft supports several OAuth flows, but for Postman, two are normally used:

1. Authorization Code Flow (Interactive)

  • Requires user sign‑in
  • Uses Postman’s browser callback handler
  • Good for testing delegated permissions
  • Ideal for SharePoint REST or Graph calls “as a user”

2. Client Credentials Flow (App‑Only)

  • No user interaction
  • Uses your Client Secret to obtain tokens
  • Good for service apps, background jobs, automation
  • Works with SharePoint App‑Only ACS or Graph Application permissions

Getting an Access Token in Postman

Create a New Postman Request

  1. Open Postman
  2. Create a new request
  3. Navigate to the Authorization tab
  4. Set the type to: OAuth 2.0

Configure the Token Request Details

Field ; Value
Grant Type ; Authorization Code OR Client Credentials
Callback URL ; https://oauth.pstmn.io/v1/callback
Auth URL ; https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/authorize
Access Token URL ; https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/token
Client ID ; Your Azure AD Application ID
Client Secret ; (Leave empty for Auth Code Flow unless using a confidential client)
Scope ; Depends on API

Example Scopes

Requesting the Token

  1. Click Get New Access Token
  2. Sign in when prompted (Auth Code Flow)
  3. Postman retrieves and stores the token
  4. Click Use Token to attach it to your request

Calling SharePoint Online REST API

Example:

GET https://<tenant>.sharepoint.com/_api/web/lists

Ensure your Authorization header contains: Authorization: Bearer <access_token> Accept: application/json;odata=nometadata

Calling Microsoft Graph

Example: GET https://graph.microsoft.com/v1.0/users

Attach the token as before. If permissions include User.Read.All or Directory.Read.All, results will be returned.

Troubleshooting

“Invalid client secret”

  • Ensure you generated a Client Secret
  • Ensure it has not expired
  • Ensure no whitespace was copied accidentally

“Insufficient privileges”

  • API permissions must be granted
  • Some permissions require Admin Consent

“redirect_uri_mismatch”

“resource not found” errors

Microsoft Graph and SharePoint Online use different resource identifiers. Ensure you request the correct scope for each API.

Notes on SharePoint ACS vs Azure AD

Historically, SharePoint Online supported ACS (App-Reg / App-Inv). New development should use Azure AD and Microsoft Graph. However, ACS still works for many legacy scenarios — Postman can authenticate using either method.

Related Articles

Reference

  • StackExchange: SharePoint Online REST API Authentication In POSTMAN