Sharepoint on line connector : sharepoint vs graph api

Hi team,

In order to make sharepoint connector work in easymorph, what do we have to implement on microsoft side in terms of scope ? Is it sharepoint scopes or is it graph api scopes ? What are you using in terms of API ?

My guess is that you are using sharepoint API. In that case what do you think about this link saying that graph API should be used ? SharePoint API vs Microsoft Graph API? - Microsoft Q&A
Alteryx seems to use graph API :slight_smile:



The required scopes you need to enable depend on your intended use for SharePoint. You can see the scope names in the connector window by hovering your cursor over the question mark:

AFAIK, AllSites.FullControl is the only scope that requires explicit admin consent in Azure AD. The other scopes do not require you to enable them on your end, and your users can use EasyMorph SharePoint without requiring administrator approval.

What are you using in terms of API ?

We use Microsoft’s SharePoint CSOM library, which does not use either SharePoint REST API or Graph API. Unfortunately, it’s not possible to switch Micorosft’s CSOM library to use Graph API since they are very different in nature (CSOM is stateful).

As you may know, Easymorph, like any other app using Azure needs an explicite authorization in Azure portal including authorized scopes. Can you send a print screen of the scopes you have defined in your own testing azure tenant in order to authorize easymorph to interact with SPOL ?

Edit : seems I was initially right Episode #87 - Consuming SharePoint Online using CSOM, MSAL, and OAuth - YouTube

Easymorph needs to be registered first, then the necessary API permissions must be set at sharepoint level, even for CSOM library. You must have done that once to test it. You really should document all these steps or no one will be able to use power bi or SPOL connectors.


The full extent of the testing tenant’s scopes is AllSites.FullControl, AllSites.Manage, AllSites.Read, AllSites.Write, EnterpriseResource.Write, MyFiles.Read, MyFiles.Write, Project.Write, ProjectWebApp.FullControl, TermStore.ReadWrite.All.

But I really don’t think you’ll need to authorize all these scopes.


UPD The youtube video you posted is referring to creating a custom app registration for use with SharePoint. As this may not have been clear from previous messages, all of my responses have been about using the SharePoint connector with the default EasyMorph Azure App registration.

If you are actually creating a custom app, then you are correct in saying that you will need to specify all the scopes explicitly.

I think thats exactly the same when you want to consent easymorph app. The video also applies, whatever the app is. I will implement this on my side and give you a feedback.


I may be mistaken, but according to my understanding, by default if a user authorizes our existing app in the tenant, the tenant administrator may not need to grant consent unless the user asks for scopes that specifically require admin approval.

That behavior, however, is configured in the tenant, specifically in Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings. There is a “User consent for applications” selector with a default setting of “Allow user consent for apps”, which corresponds with the behavior described above.

However, there is an option to set this selector to a more restrictive setting, such as “Do not allow user consent”. If this configuration is enabled, administrator consent is required for all attempts to grant permissions to the application.