Introduction

There are lot of ways to access the SharePoint API to fetch or update its resources. In all the ways, the authentication plays the important role in authorizing the access to get the information. As a developer, you may very much interested in using the PostMan tool for accessing the REST APIs.

Postman Chrome Extension
This is a developer friendly tool for handling the REST APIs from any platform. By using this tool we’ll fetch or update any information from SharePoint using REST API endpoints. We can get this utility from chrome extension and you can get that from this link PostMan Chrome Extension.

Postman & SharePoint Rest endpoints
If you are new to SharePoint REST API or you want to know more about REST endpoints in SharePoint; visit the link Get to know the SharePoint 2013 REST service.

Now we have some understanding about PostMan tool & SharePoint Rest API endpoints. Now we’ll start testing the SharePoint REST API with this tool.

Example

Let’s take a simple example like, getting the web title from the current site context. The equivalent syntax for retrieving the website’s title is

https://<SiteName>.sharepoint.com/_api/web?$select=Title

After entering the above URL in the text-box in the URL text-box. We will get the Unauthorized exception on accessing the information. Because SharePoint Online is very much secured and that doesn’t allow anonymous users to access the information for their site. The below is the error message response, after sending the request.

.

UnAuthorized from Postman
Fig 1: UnAuthorized from Postman

To avoid the Unauthorized exception, we have to add some request header values to the API request. Authentication and Authorization of SharePoint Add-Ins gives the overview of authorizing the Add-ins to access SharePoint resources by the APIs.

Authentication Policies:

SharePoint online considers any one of the below three type of polices to authenticate the Add-In.

  • User Policy
  • Add-In Policy – We are using this policy to authenticate the external system to access SharePoint
  • User +Add-In Policy

Request Headers:

And, we require the following information in various requests to authenticate with SharePoint online site.

  • Client Id
  • Client Secret
  • Realm (Tenant Id)
  • Access Token

Authorize Postman to access SharePoint

To get authorized from external system, we should pass access-token value as a request header along with the REST API URL. Before that we have to get the access-token, for that we should generate Client Id and Secret information from the site by registering as an App only Add-In in SharePoint site. This is same as like registering add-in for Provider Hosted Add-In.

I have provided the steps below to get the Tenant Id, Access Token and data from SharePoint using PostMan utility.

Register Add-In

On initial stage, we have to register the Add-In in SharePoint, where we want to access the information. Follow the steps below to register the Add-In in SharePoint site.

  • Navigate and login to SharePoint online site.
  • Then navigate to the Register Add-In page by entering the url as

https://<sitename>.SharePoint.com/_layouts/15/appregnew.aspx

  • On App Information section, click Generate button next to the Client Id and Client Secret textboxes to generate the respective values.
  • Enter Add-In Title in Title textbox
  • Enter AppDomian as a loclhost
  • Enter RedirectUri as a https://localhost
Register an Add-In
Fig 2: Register an Add-In
  • Click Create button, which registers the add-in and returns the success message with created information.
 Add-In Registration Successfull
Fig 3: Add-In Registration Successful

Grant Permissions to Add-In

Once the Add-In is registered, we have to set the permissions for that add-in to access the SharePoint data. We will set the Read permission level to the web scope, so that we will be able to read the web information.

  • Navigate to the SharePoint site
  • Then enter the URL https://<sitename>.sharepoint.com/_layouts/15/appinv.aspx in the browser. This will redirect to Grant permission page.
  • Enter the Client ID(which we have generated earlier), in AppId textbox and click Lookup button. That will populate the value to other textboxes in Title, App Domain and Redirect Url
Fig 4: Set Permissions to Add-In
Fig 4: Set Permissions to Add-In
  • Now enter the below permission request in XML format.
    <AppPermissionRequests AllowAppOnlyPolicy="true">
        <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read" />
    </AppPermissionRequests>
    
  • Then click Create button. This will redirect to you page, where we have to trust the add-in to read items from website.
Fig 5: Trust Add-In
Fig 5: Trust Add-In

Note: If we want to access site collection or tenant level, we have add the xml accordingly

Retrieve the Tenant ID

Once we registered the Client Id and Secret with the permissions, we are ready to access the SharePoint information from external system or tools.

At first, we have to know the Tenant ID. Follow the below steps to obtain that information from postman. Postman helps to get the tenant Id by requesting the below url with Authorization header.

  • Launch Postman chrome extension.
  • Select Get Method
  • Enter the below URL in the “Request URL” textbox
    https://<sitename>/sharepoint.com/_vti_bin/client.svc/
  • Configure the below information in the header section to send along with the url requestMethod = Get
    Headers

    Key Syntax Value
    Authorization Bearer Bearer
  • After applied the configuration, click Send button. The response returns lot of headers but ends with unauthorized access.

    Fig 6: Get Tenant ID from SharePoint Online
    Fig 6: Get Tenant ID from SharePoint Online

 

Generate the Access Token

In response header, we will get WWW-Authenticate as one of the header and that contains the necessary information required for next step. The realm value contains the tenant id for the SharePoint Online site and clientid value contains the resource information (we’ll use it later).

  • After getting the Tenant ID, we have to form a URL with the below format
    https://accounts.accesscontrol.windows.net/<TenantID>/tokens/OAuth/2 for requesting the access token.
  • Apply the below configurations in header
    Method = POST
    Headers
Key Syntax Value
Content-Type application/x-www-form-urlencoded application/x-www-form-urlencoded

Body

Key Syntax Value
grant_type client_credentials client_credentials
client_id ClientID@TenantID 4b4276d0-74cd-4476-b66f-e7e326e2cb93@10267809-adcb-42b6-b103-c7c8190b3fed
client_secret ClientSecret nuC+ygmhpadH93TqJdte++C37SUchZVK4a5xT9XtVBU=
resource resource/SiteDomain@TenantID 00000003-0000-0ff1-ce00-000000000000/spsnips.sharepoint.com@10267809-adcb-42b6-b103-c7c8190b3fed
  • After applying the configuration, click Send button. That will returns the response with the Access Token.
Fig 7: Postman response contains Access Token
Fig 7: Postman response contains Access Token

Once we are received the access token, its like we got the authorization to access the SharePoint data based on the permission applied in Grant Permission as Add-In section.

We have to pass the access token as “token_type access_token

Access the SharePoint resource

Now we have the access token, So we can now pass this token in Authorization header with the SharePoint REST API to get the information.

  • In Postman tool, add the below URL to retrieve the web title

https://<sitename>.sharepoint.com/_api/web?$select=Title

  • Apply configurations in header
  • Method = POST
    Headers

    Key Syntax Value
    Accept application/json;odata=verbose application/json;odata=verbose
    Authorization <token_type> <access_token> Bearer eyJ0eX….JQWQ
  • After applying the configuration, click Send button.
  • We will get the response successful as below if the permission xml applied correctly in appinv page. Otherwise we will get the access denied error message.
Retrieve the web tile from postman
Fig 8: Postman returns the web title in response

Conclusion

That concludes, the Postman utility helps us to test the REST API endpoint before starting the development. The same way we can retrieve or update any information from SharePoint supported by SharePoint REST API endpoints. In my next article, I’ll cover how to the same in external application using javascript.

Access SharePoint Online using Postman
Tagged on:                 

17 thoughts on “Access SharePoint Online using Postman

  • February 2, 2017 at 5:50 PM
    Permalink

    Hi Shantha Kumar,

    Nice article, provided the valuable information. Successfully created/updated the list item followed the above steps,but always it shows Created By / Modified By column value as “Sharepoint App”.
    Is there any way to update the context(login) user ?

    Reply
    • August 22, 2017 at 1:06 AM
      Permalink

      Hi Rambabu,

      Will you Please guide how did a performed CRUD operation on List Item from this article.

      Best Regards,

      Ajay Yadav

      Reply
  • May 5, 2017 at 1:54 PM
    Permalink

    Hi Shantha,

    Is there anyway I can update/Insert items in the existing list using postman ?

    Need help.

    Thank and Regards,
    Ajay

    Reply
  • May 5, 2017 at 9:06 PM
    Permalink

    Hello,
    Nice article, good tuto,
    It was very helpful.

    thank you !

    Reply
  • May 12, 2017 at 11:33 AM
    Permalink

    Very helpful article! Thank you!

    Reply
  • June 1, 2017 at 3:11 PM
    Permalink

    Everything worked and got the access token but finally , I try to get the title of a test site I created in sharepoint online it shows Access denied error

    Reply
  • June 2, 2017 at 6:45 AM
    Permalink

    Hello,

    Nice article! I want to use the feature to get access token by selecting the authorization method as OAuth 2.0 in Postman. Once I got the client_id and client_secret what to put in the Auth Url And Auth Token Url please help to successfully get the the access token.

    Regards

    Reply
    • September 13, 2017 at 6:56 PM
      Permalink

      hi
      Did you get the solution for this ?
      i am also trying to do something similar.

      Reply
  • June 5, 2017 at 10:41 PM
    Permalink

    Great tutorial!
    Very useful.
    Thanks!

    Reply
  • June 23, 2017 at 8:17 PM
    Permalink

    Hi,

    Nice article. I am trying similar functionality having ADFS login to sharepoint online. I.e., using company email address (abc@company.com) to login to SharePoint online, not like abc@company.onmicrosoft.com. When I try with postman, I’m getting error “Direct login to WLID is not allowed for this federated namespace”. Is there anyway to get rid of this?

    Thanks in advance

    Br,
    Srini K

    Reply
  • August 3, 2017 at 10:13 PM
    Permalink

    What is the resource in the syntax resource/SiteDomain@TenantID from Generate the Access Token step?

    Reply
  • August 21, 2017 at 8:54 PM
    Permalink

    Hi Shantha,

    I need to perform an CRUD operation from postman?

    Kindly help.

    Thank and Regards,

    Ajay

    Reply
  • August 28, 2017 at 12:15 AM
    Permalink

    Really Helpful.. Thank You !.

    Reply
  • September 6, 2017 at 9:44 PM
    Permalink

    Hi,
    I followed the steps but in Generate the Access Token, I didn’t get the token. Instead I got this answer:
    “Tenant not found. This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator”
    What Do I have to check to see if something isn’t well set up?
    Thanks in advance

    Reply
  • September 12, 2017 at 8:35 PM
    Permalink

    Hi,

    I want to change the domain Name and redirect URL. That i have provided in
    /_layouts/15/appregnew.aspx
    How do i do it.
    Can i create multiple appregnew.aspx for one site ?
    I am not able to getting error.

    Reply
  • September 16, 2017 at 2:58 AM
    Permalink

    Very Good Article.Helped me lot..Thank you sir..

    Reply
  • September 19, 2017 at 4:25 PM
    Permalink

    Nice Article , i`m able to access the data now from external system however the access token expires after a few hours and requests stops , how can i make permanent bearer access token?!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *