Postman - Microsoft Online Authentication: Difference between revisions
Created page with "Category:Postman Category:Microsoft Category:SharePoint Category:OAuth 2.0 Reference: https://sharepoint.stackexchange.com/questions/236286/sharepoint-online-rest-api-authentication-in-postman StackExchange: SharePoint Online REST API Authentication In POSTMAN" |
No edit summary |
||
| Line 3: | Line 3: | ||
[[Category:SharePoint]] | [[Category:SharePoint]] | ||
[[Category:OAuth 2.0]] | [[Category:OAuth 2.0]] | ||
This article explains how to authenticate against Microsoft Online services — including SharePoint Online — using Postman. It focuses on OAuth 2.0 flows, how Azure AD token endpoints work, and how to obtain and reuse access tokens when testing Microsoft 365 or Graph‑based integrations. | |||
== Introduction == | |||
Microsoft Online services use Azure Active Directory (Azure AD) as their identity provider. | |||
When testing APIs with Postman (including SharePoint REST, Microsoft Graph, or custom Azure‑secured APIs), you must authenticate using one of Microsoft’s OAuth 2.0 flows. | |||
This article provides a practical, step‑by‑step guide to generating access tokens in Postman and using them to call Microsoft Online endpoints. | |||
== When You Need This == | |||
* Testing SharePoint Online REST API calls | |||
* Testing Microsoft Graph | |||
* Developing custom integrations or automation | |||
* Reproducing authentication issues | |||
* Creating prototype workflows without writing code | |||
== Prerequisites == | |||
Before authenticating in Postman, you need: | |||
* An Azure AD tenant (Microsoft 365) | |||
* A registered Azure AD application | |||
* OAuth 2.0 client details: | |||
* Tenant ID | |||
* Client ID | |||
* Client Secret (if using Client Credentials) | |||
* The correct Redirect URI for Postman | |||
* Appropriate API permissions (Graph, SharePoint, etc.) | |||
== Registering a Postman App in Azure AD == | |||
To authenticate using OAuth 2.0, first register an application in Azure AD: | |||
=== Steps === | |||
# Go to the Azure Portal → Azure Active Directory → App registrations. | |||
# Select '''New registration'''. | |||
# Name it something like: Postman API Tester. | |||
# Redirect URI: | |||
* For interactive authentication (Auth Code Flow): https://oauth.pstmn.io/v1/callback | |||
# After creation, note: | |||
* Application (client) ID | |||
* Directory (tenant) ID | |||
# Under Certificates & Secrets, create a new Client Secret (if required). | |||
# Under API Permissions, add the permissions required by your test scenario. | |||
== Choosing the Right OAuth Flow == | |||
Microsoft supports several OAuth flows, but for Postman, two are normally used: | |||
=== 1. Authorization Code Flow (Interactive) === | |||
* Requires user sign‑in | |||
* Uses Postman’s browser callback handler | |||
* Good for testing delegated permissions | |||
* Ideal for SharePoint REST or Graph calls “as a user” | |||
=== 2. Client Credentials Flow (App‑Only) === | |||
* No user interaction | |||
* Uses your Client Secret to obtain tokens | |||
* Good for service apps, background jobs, automation | |||
* Works with SharePoint App‑Only ACS or Graph Application permissions | |||
== Getting an Access Token in Postman == | |||
=== Create a New Postman Request === | |||
# Open Postman | |||
# Create a new request | |||
# Navigate to the Authorization tab | |||
# Set the type to: OAuth 2.0 | |||
=== Configure the Token Request Details === | |||
; Field ; Value | |||
; Grant Type ; Authorization Code OR Client Credentials | |||
; Callback URL ; https://oauth.pstmn.io/v1/callback | |||
; Auth URL ; https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/authorize | |||
; Access Token URL ; https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/token | |||
; Client ID ; Your Azure AD Application ID | |||
; Client Secret ; (Leave empty for Auth Code Flow unless using a confidential client) | |||
; Scope ; Depends on API | |||
=== Example Scopes === | |||
* Microsoft Graph: https://graph.microsoft.com/.default | |||
* SharePoint Online: https://<TENANT>.sharepoint.com/.default | |||
* User delegated scope example: openid profile offline_access | |||
=== Requesting the Token === | |||
# Click Get New Access Token | |||
# Sign in when prompted (Auth Code Flow) | |||
# Postman retrieves and stores the token | |||
# Click Use Token to attach it to your request | |||
== Calling SharePoint Online REST API == | |||
Example: | |||
GET https://<tenant>.sharepoint.com/_api/web/lists | |||
Ensure your Authorization header contains: | |||
Authorization: Bearer <access_token> | |||
Accept: application/json;odata=nometadata | |||
== Calling Microsoft Graph == | |||
Example: | |||
GET https://graph.microsoft.com/v1.0/users | |||
Attach the token as before. | |||
If permissions include User.Read.All or Directory.Read.All, results will be returned. | |||
== Troubleshooting == | |||
=== “Invalid client secret” === | |||
* Ensure you generated a Client Secret | |||
* Ensure it has not expired | |||
* Ensure no whitespace was copied accidentally | |||
=== “Insufficient privileges” === | |||
* API permissions must be granted | |||
* Some permissions require Admin Consent | |||
=== “redirect_uri_mismatch” === | |||
* Ensure the redirect URI in Azure matches Postman exactly | |||
* Use: https://oauth.pstmn.io/v1/callback | |||
=== “resource not found” errors === | |||
Microsoft Graph and SharePoint Online use different resource identifiers. | |||
Ensure you request the correct scope for each API. | |||
== Notes on SharePoint ACS vs Azure AD == | |||
Historically, SharePoint Online supported ACS (App-Reg / App-Inv). | |||
New development should use Azure AD and Microsoft Graph. | |||
However, ACS still works for many legacy scenarios — Postman can authenticate using either method. | |||
== Related Articles == | |||
* [[OAuth 2.0 Overview]] | |||
* [[SharePoint Online – REST API Guide]] | |||
* [[Azure AD Application Registrations]] | |||
* [[Microsoft Graph – Getting Started]] | |||
== Reference == | |||
* StackExchange: SharePoint Online REST API Authentication In POSTMAN | |||
Latest revision as of 16:21, 14 March 2026
This article explains how to authenticate against Microsoft Online services — including SharePoint Online — using Postman. It focuses on OAuth 2.0 flows, how Azure AD token endpoints work, and how to obtain and reuse access tokens when testing Microsoft 365 or Graph‑based integrations.
Introduction
Microsoft Online services use Azure Active Directory (Azure AD) as their identity provider. When testing APIs with Postman (including SharePoint REST, Microsoft Graph, or custom Azure‑secured APIs), you must authenticate using one of Microsoft’s OAuth 2.0 flows.
This article provides a practical, step‑by‑step guide to generating access tokens in Postman and using them to call Microsoft Online endpoints.
When You Need This
- Testing SharePoint Online REST API calls
- Testing Microsoft Graph
- Developing custom integrations or automation
- Reproducing authentication issues
- Creating prototype workflows without writing code
Prerequisites
Before authenticating in Postman, you need:
- An Azure AD tenant (Microsoft 365)
- A registered Azure AD application
- OAuth 2.0 client details:
* Tenant ID * Client ID * Client Secret (if using Client Credentials)
- The correct Redirect URI for Postman
- Appropriate API permissions (Graph, SharePoint, etc.)
Registering a Postman App in Azure AD
To authenticate using OAuth 2.0, first register an application in Azure AD:
Steps
- Go to the Azure Portal → Azure Active Directory → App registrations.
- Select New registration.
- Name it something like: Postman API Tester.
- Redirect URI:
* For interactive authentication (Auth Code Flow): https://oauth.pstmn.io/v1/callback
- After creation, note:
* Application (client) ID * Directory (tenant) ID
- Under Certificates & Secrets, create a new Client Secret (if required).
- Under API Permissions, add the permissions required by your test scenario.
Choosing the Right OAuth Flow
Microsoft supports several OAuth flows, but for Postman, two are normally used:
1. Authorization Code Flow (Interactive)
- Requires user sign‑in
- Uses Postman’s browser callback handler
- Good for testing delegated permissions
- Ideal for SharePoint REST or Graph calls “as a user”
2. Client Credentials Flow (App‑Only)
- No user interaction
- Uses your Client Secret to obtain tokens
- Good for service apps, background jobs, automation
- Works with SharePoint App‑Only ACS or Graph Application permissions
Getting an Access Token in Postman
Create a New Postman Request
- Open Postman
- Create a new request
- Navigate to the Authorization tab
- Set the type to: OAuth 2.0
Configure the Token Request Details
- Field ; Value
- Grant Type ; Authorization Code OR Client Credentials
- Callback URL ; https://oauth.pstmn.io/v1/callback
- Auth URL ; https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/authorize
- Access Token URL ; https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/token
- Client ID ; Your Azure AD Application ID
- Client Secret ; (Leave empty for Auth Code Flow unless using a confidential client)
- Scope ; Depends on API
Example Scopes
- Microsoft Graph: https://graph.microsoft.com/.default
- SharePoint Online: https://<TENANT>.sharepoint.com/.default
- User delegated scope example: openid profile offline_access
Requesting the Token
- Click Get New Access Token
- Sign in when prompted (Auth Code Flow)
- Postman retrieves and stores the token
- Click Use Token to attach it to your request
Example:
GET https://<tenant>.sharepoint.com/_api/web/lists
Ensure your Authorization header contains: Authorization: Bearer <access_token> Accept: application/json;odata=nometadata
Calling Microsoft Graph
Example: GET https://graph.microsoft.com/v1.0/users
Attach the token as before. If permissions include User.Read.All or Directory.Read.All, results will be returned.
Troubleshooting
“Invalid client secret”
- Ensure you generated a Client Secret
- Ensure it has not expired
- Ensure no whitespace was copied accidentally
“Insufficient privileges”
- API permissions must be granted
- Some permissions require Admin Consent
“redirect_uri_mismatch”
- Ensure the redirect URI in Azure matches Postman exactly
- Use: https://oauth.pstmn.io/v1/callback
“resource not found” errors
Microsoft Graph and SharePoint Online use different resource identifiers. Ensure you request the correct scope for each API.
Historically, SharePoint Online supported ACS (App-Reg / App-Inv). New development should use Azure AD and Microsoft Graph. However, ACS still works for many legacy scenarios — Postman can authenticate using either method.
Related Articles
- OAuth 2.0 Overview
- SharePoint Online – REST API Guide
- Azure AD Application Registrations
- Microsoft Graph – Getting Started
Reference
- StackExchange: SharePoint Online REST API Authentication In POSTMAN