Troubleshooting SharePoint Web Connections and Services

Liz Sanderson
Liz Sanderson
  • Updated

Are you encountering issues connecting to SharePoint in FME?

This article contains troubleshooting and common issues encountered when configuring a SharePoint web service definition and connection for both Form and Flow.

If you have not already, please ensure that you have followed all the steps in the How to Create a SharePoint Web Connection article for your product and tenancy. The list of articles is found here. For many users, this is their first encounter with Azure App Registrations. Once the app has been registered with Microsoft Azure, the information needs to be carefully added to the web service definition in FME so that it can be used for OAuth 2.0. 

Please ensure you’ve correctly configured the Azure app registration and web service by reviewing the Initial Troubleshooting.

If you’re confident everything is set up correctly and you’re still experiencing issues look through the Common Issues. If your issue isn’t listed, refer to the additional troubleshooting tips to help narrow down the cause of the issue (and hopefully find a fix!).
 

Content Overview

 

Initial Troubleshooting

Here are some steps that get overlooked during configuration of the Azure App Registration and FME web service. These steps are all covered in detail in the How to Create a SharePoint Web Connection articles listed here .
 

Tenancy

Microsoft gives the option of both single tenant and multitenant applications, and the configuration for each is slightly different. If your application is single tenant, the URLs in FME’s web service definition should have /common/ in them. If the application is single tenant then you should have the directory (tenant) id in the URL instead.
For more information, see Microsoft’s documentation on Tenancy in Azure Active Directory.
 

Client Secret

Microsoft requires a client secret for confidential web apps, which means this is required for FME Flow. The client secret should not be used in FME Form, which is a native app. If you’re working in Form then ensure that 'Optional' is checked next to Client Secret in the web service definition.

If you’re publishing the web connection to FME Flow, ensure you’re copying the client secret from Azure and adding it to the web service in FME Flow only. Ensure you’re copying the value of the secret and not the secret id.
Web Connections - FME Flow documentation
 

API Permissions

The SharePoint List Reader/Writer uses a different API than the SharePoint Online Connector. Make sure you’ve chosen the right permissions in Azure for FME. The SharePoint List Reader/Writer uses the SharePoint API and will need those permissions. The SharePoint Online Connector uses the Microsoft Graph API and will need those permissions.
In FME, as long as the auth URL in the web service definition uses the .default scope and the correct permissions have been given in Azure there should be no issues.

Required permissions can be found in these articles:
How to Create a SharePoint Web Connection for FME Form for either a multitenant or single tenant Azure App Registration.
 

Redirect URI and Platform

The redirect URI must match between what is configured in FME and in the Azure App Registration. If this does not match you will receive an error when testing or authorizing the web connection. In addition, the redirect URI must be added to the correct platform under Authentication in the Azure App Registration. For FME Form, the platform is 'Mobile and Desktop Applications'. For FME Flow, the platform is 'Web'.  

FME Flow must be configured for HTTPS and the redirect URI will be https://myfmeflow.mydomain.com/fmeoauth.
 

Review FME Flow Logs

If you are trying to get the connection working on FME Flow, review the logs for errors or warnings. The OAuth log can be found under Resources > Logs > Service > Current > fmeoauth.log. Job logs and the fmeserver.log file can also be helpful.
 

Common Issues

Admin consent required

If your Azure portal requires admin consent, you will receive an 'Approval Required' message when trying to authorize the SharePoint connection. 

Authorizing with an Azure Administrator account should resolve the issue. Otherwise, the administrator will need to approve your request in the Azure portal. Try to reauthorize the connection. If you are still prompted for admin consent, remove "&prompt=consent" from the web service Authorization Parameters URL in FME Form, or change it to "&prompt=none".

In the Microsoft Graph API authorization URL, the "prompt" parameter is used to specify whether the user should be prompted to sign in or to consent to the requested permissions.

Microsoft Graph OAuth2 Request Parameters
 

Invalid audience

In the context of a Microsoft Graph application's OAuth2 authentication flow, an "audience" refers to the target resource or service that the access token will be used to access.

When an application requests an access token from Microsoft Graph, the application specifies the "audience" parameter in the authentication request. The value of this parameter should be set to the App ID URI of the target resource or service that the application wants to access with the access token.

For example, if an application wants to access a user's OneDrive files, it would set the "audience" parameter to "https://graph.microsoft.com". This tells Microsoft Graph to issue an access token that is intended for use with the Microsoft Graph API.

When the application sends a request to Microsoft Graph API, it includes the access token in the Authorization header of the request. The "audience" parameter in the access token should match the value that was specified in the authentication request. If the "audience" parameter in the access token doesn't match the intended resource, the request will be rejected.

In summary, the "audience" parameter in the Microsoft Graph OAuth2 authentication flow is used to indicate the intended resource or service that the access token will be used to access.

If using one app registration for both SharePoint Online Connector and SharePoint List Reader/Writer ensure that the scope in the authorization URL is scope=https://[TENANT].sharepoint.com/.default offline_access or create two separate apps in Azure, and fix the scope in the authorization URL in the web service definition: scope=offline_access sites.readwrite.all etc
 

Delegated vs application permissions

FME currently only supports delegated permissions, which requires FME to access the API as the signed-in user, but with access limited by the selected permission.

FME does not support application permissions where it would access the web API as itself (FME) rather than a signed-in user. This type of permission requires administrator consent and is also not available for native client applications (FME Form).

Ensure that you’re using delegated permissions when configuring the Azure App Registration.
 

401 unauthorized or failed to obtain refresh token

Microsoft does not trust desktop applications to provide a client secret for security reasons.

In the OAuth 2.0 authentication flow, the client secret is used to authenticate the application and protect the client credentials from unauthorized access. However, in a desktop application, the client secret is not secure because it can be easily extracted from the application code or configuration files, making it vulnerable to attacks.

To mitigate this risk, Microsoft recommends that desktop applications use the "OAuth 2.0 Authorization Code Grant" flow, which involves redirecting the user to a sign-in page in a web browser to obtain an authorization code. This authorization code can then be exchanged for an access token and a refresh token that the application can use to access the user's data.

In this flow, the client secret is only used to authenticate the application with the authorization server during the initial setup process. After that, the application uses the authorization code and the client ID to obtain access tokens without exposing the client secret.

By using this flow, Microsoft can help ensure that the client secret is kept confidential and not exposed to potential attackers.

If the app is registered as a desktop app in Azure then FME Workbench must not send a client secret to Microsoft. You can do this by clicking the 'Optional' checkbox next to the client secret parameter in the FME Workbench web service definition. 
 

403 Client Error: Forbidden for url.

You are able to authorize you connection successfully, but receive an error like the one below when a workspace is run:

Client-side error: '403 Client Error: Forbidden for url: https://mysite.sharepoint.com/sites/_api/web/Lists?%24select=Title%2CId&%24filter=Hidden+eq+false' returned from SharePoint. Error message was: 'Attempted to perform an unauthorized operation.' 

Make sure that the Microsoft account you authorized the web connection with has necessary access to the SharePoint site hosting the list or library. 
 

Different lists returned in FME compared to SharePoint in the web browser

If different lists are being returned in FME compared to what is being returned in the browser you will need to verify with the MS Graph Explorer if the API is returning the correct list.
When you access the MS Graph Explorer ensure you sign in (top right) with the same account that is being used in the SharePoint web connection.

On the left hand navigator of the Graph Explorer you can expand the SharePoint queries for sites, lists, etc.
If the Graph API is not returning the expected information then FME will also not be able to access it, as it uses the Graph API.
 

Intermittently cannot connect to SharePoint from FME Flow

When a web connection is published to FME Flow it also publishes the current (normally) working (“active”) authorization token. After a period of time determined by Microsoft (an hour, month, etc) this token will expire and if FME Flow has not been configured properly for the web service it will be unable to refresh the token.

After a web connection and its web service have been published to FME Flow the user will need to:

  • Ensure the app registration in Azure has a web platform configured. 
  • Specify the correct redirect URI in the web platform (https://<host>:<port>/fmeoauth). 
  • Generate a client secret and add this to the web service in FME Flow
  • Ensure the client_secret=[CLIENT_SECRET] parameter has been added to the Refresh Token Parameters in the web service. Note that this can only be set in FME Form and must then be published to FME Flow.

How to Create a SharePoint Web Connection for FME Flow [Single Tenant]
How to Create a SharePoint Web Connection for FME Flow [Multitenant]

 

Additional Troubleshooting Tips

Azure error messages

Azure error messages are normally descriptive and it will be clear what the issue is. For example:

Invalid Resource. The client has requested access to a resource which is not listed in the requested permissions in the client’s application registration.
This means FME is trying to access resources it doesn’t have permissions to. This will need fixing in the Azure App Registration.

The reply URL specified in the request does not match the reply URLs configured for the application.
The reply URL is not the same as the redirect URI. You will need to verify that FME and Azure have exactly the same redirect URI in their configurations.

If you’re unsure what an Azure error message is referring to, there are normally a lot of questions and answers on the Azure Community or other online tech support forums.
 

HTTP error codes

If the web service can't auth successfully, you will probably see HTTP Error codes returned. If you’re not sure what an error code means, you can check here: HTTP response status codes
For example, a 401 response means the user/client is unauthorized.
You will want to check everything relating to authentication and authorization: user account signing in, Client ID, Client Secret, permissions etc.

 

Fiddler (or other network monitoring tools)

If you do not get any useful error messages back in FME, you will need to use Fiddler to intercept the network traffic and responses coming from Microsoft.
When Fiddler is open, it will capture all traffic from your computer. Filter the processes to only show traffic from FME.
If you don’t see any traffic from FME, in FME Options > Network Proxy, select Use system proxy settings.
​​​​​​

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.