Postman - Microsoft Online Authentication

From PiRho Knowledgebase
Jump to navigationJump to search

This article explains how to authenticate against Microsoft Online services — including SharePoint Online — using Postman. It focuses on OAuth 2.0 flows, how Azure AD token endpoints work, and how to obtain and reuse access tokens when testing Microsoft 365 or Graph‑based integrations.

Introduction

Microsoft Online services use Azure Active Directory (Azure AD) as their identity provider. When testing APIs with Postman (including SharePoint REST, Microsoft Graph, or custom Azure‑secured APIs), you must authenticate using one of Microsoft’s OAuth 2.0 flows.

This article provides a practical, step‑by‑step guide to generating access tokens in Postman and using them to call Microsoft Online endpoints.

When You Need This

  • Testing SharePoint Online REST API calls
  • Testing Microsoft Graph
  • Developing custom integrations or automation
  • Reproducing authentication issues
  • Creating prototype workflows without writing code

Prerequisites

Before authenticating in Postman, you need:

  • An Azure AD tenant (Microsoft 365)
  • A registered Azure AD application
  • OAuth 2.0 client details:
 * Tenant ID
 * Client ID
 * Client Secret (if using Client Credentials)
  • The correct Redirect URI for Postman
  • Appropriate API permissions (Graph, SharePoint, etc.)

Registering a Postman App in Azure AD

To authenticate using OAuth 2.0, first register an application in Azure AD:

Steps

  1. Go to the Azure Portal → Azure Active Directory → App registrations.
  2. Select New registration.
  3. Name it something like: Postman API Tester.
  4. Redirect URI:
  * For interactive authentication (Auth Code Flow): https://oauth.pstmn.io/v1/callback
  1. After creation, note:
  * Application (client) ID
  * Directory (tenant) ID
  1. Under Certificates & Secrets, create a new Client Secret (if required).
  2. Under API Permissions, add the permissions required by your test scenario.

Choosing the Right OAuth Flow

Microsoft supports several OAuth flows, but for Postman, two are normally used:

1. Authorization Code Flow (Interactive)

  • Requires user sign‑in
  • Uses Postman’s browser callback handler
  • Good for testing delegated permissions
  • Ideal for SharePoint REST or Graph calls “as a user”

2. Client Credentials Flow (App‑Only)

  • No user interaction
  • Uses your Client Secret to obtain tokens
  • Good for service apps, background jobs, automation
  • Works with SharePoint App‑Only ACS or Graph Application permissions

Getting an Access Token in Postman

Create a New Postman Request

  1. Open Postman
  2. Create a new request
  3. Navigate to the Authorization tab
  4. Set the type to: OAuth 2.0

Configure the Token Request Details

Field ; Value
Grant Type ; Authorization Code OR Client Credentials
Callback URL ; https://oauth.pstmn.io/v1/callback
Auth URL ; https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/authorize
Access Token URL ; https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/token
Client ID ; Your Azure AD Application ID
Client Secret ; (Leave empty for Auth Code Flow unless using a confidential client)
Scope ; Depends on API

Example Scopes

Requesting the Token

  1. Click Get New Access Token
  2. Sign in when prompted (Auth Code Flow)
  3. Postman retrieves and stores the token
  4. Click Use Token to attach it to your request

Calling SharePoint Online REST API

Example:

GET https://<tenant>.sharepoint.com/_api/web/lists

Ensure your Authorization header contains: Authorization: Bearer <access_token> Accept: application/json;odata=nometadata

Calling Microsoft Graph

Example: GET https://graph.microsoft.com/v1.0/users

Attach the token as before. If permissions include User.Read.All or Directory.Read.All, results will be returned.

Troubleshooting

“Invalid client secret”

  • Ensure you generated a Client Secret
  • Ensure it has not expired
  • Ensure no whitespace was copied accidentally

“Insufficient privileges”

  • API permissions must be granted
  • Some permissions require Admin Consent

“redirect_uri_mismatch”

“resource not found” errors

Microsoft Graph and SharePoint Online use different resource identifiers. Ensure you request the correct scope for each API.

Notes on SharePoint ACS vs Azure AD

Historically, SharePoint Online supported ACS (App-Reg / App-Inv). New development should use Azure AD and Microsoft Graph. However, ACS still works for many legacy scenarios — Postman can authenticate using either method.

Related Articles

Reference

  • StackExchange: SharePoint Online REST API Authentication In POSTMAN