Access SharePoint Online REST API via Postman with User Context


SharePoint Online(SPOL) allows remote applications to call the REST API with user impersonation. This article demonstrates how to access SPOL REST API and to the data from a SharePoint list in a tenant using Postman. However, outside of .NET the authentication piece is not so straightforward. App authentication solves this issue for registered apps but in this article you will see how remote user authentication can be achieved, regardless of platform.

The goal of this article is to provide examples of the HTTP requests which need to be made in order to authenticate SharePoint Online. It then provides an example of using the same technique to read data from a SharePoint list just to make sure it all works.


To play with this POC, you need the following:

Note: If you already have a subscription, you can use an existing account from your Office 365 subscription.

  • A SharePoint List with some data.
  • To send HTTP requests I am going to use Postman. Click here to go through Postman Getting Started details.
  • Fiddler to trace / debug

Note: The type of applications where this kind of approach may be necessary include: Java, PHP, or Informatica.

  • Keep the Chrome Browser and Fiddler Running for this POC. But you don’t need to login to SharePoint.

Steps Invovled

Before we read the data from SPOL, The REST API authentication piece comes in a few steps:

  • Generate Security Token
  • Generate Access Token
  • Get Request Digest

Generate Security Token

The first step is to provide a username and password of a user with Read access to the SharePoint List and the URL at which we want access to the SharePoint Online Security Token Service.

This is done by sending a POST request with the following XML as the request body to the URL


Note: Replace the following values with your data.

[User Name] – SPOL Account Username (example:

[Password]     – SPOL Account Password

[SharePoint Site URL] – SharePoint site URL where your list exists

Postman Configurations


(Request Body)


(Request Header)

Set Content-Type to application/x-www-form-urlencoded

Now hit Send button to view the Response. Your HTTP Response should be something like this:



Note down the security token value inside the wsse:BinarySecurityToken tag.

Important Note: If you get “Direct login to WLID is not allowed for this federated namespace” error, you have to follow different steps. Please refer the C# code for the tenants connected with ADFS.

Generate Access Token

Once the security token has been generated it must be used to fetch the access token. We can do this by sending a POST request to the following URL with the security token in the request body:

Postman Configurations


(Request Header)


(Request Body)

Now hit Send button to view the Response. Your HTTP Response should be something like this:

The response for this request contains some Cookies which must be passed as headers with all upcoming requests. Note down the values of the rtFa and FedAuth Cookies.



Get Request Digest

The request digest is a feature that ensures requests are coming from a single session. It must also be included with any POST requests.

We can get the request digest value by sending a POST request to the below URL:

Add rtFa and FedAuth Cookie values as headers with the request.

Postman Configurations


(Request Header)

Now hit Send button to view the Response. Your HTTP Response should be something like this:


(Request Response)

Note down the security token value inside the d:FormDigestValue tag including date and time zone values.

Read Data from SharePoint List

Now we are going to pass the d:FormDigestValue along with rtFa and FedAuth Cookie values in header section to access the SharePoint list via List REST API endpoint as shown below:

Postman Configurations


(Request Header)


(Request Response)

As you can see, we are able to read the SharePoint list data via REST API without login to SharePoint site in the browser.

Now you can try to mimic the same process in your own server-side language which supports web requests and work against SharePoint Online. The C# version of the same concept can be found here.

Issues Faced

If you are not able to generate REQUEST DIGEST value, follow the below article:

403 Forbidden from /_api/contextinfo when using Chrome Postman REST App




Site Property Bag Manager

SharePoint Property Bag is a great option to store configurations at different levels of the SharePoint hierarchy outside of the application itself. The same property bag entry can be used in SharePoint Search once it is crawled. Based on the requirement we can decide if we need a property bag item with crawl enabled or not.

In the sample SharePoint Hosted app attached, I have mentioned the list of supported properties as I do not want to modify the OOTB properties. Please use this app as starter kit and leverage the same according to your requirement.


Supported Properties


Supported Properties - Choices



Edit Supported Property

Download Code

Enable SharePoint Site Owners to read SharePoint site usage data saved in Google Analytics


  • Most analytic tools allow the site administrators/business leads to read how their site is being visited/used.
  • Site owners cannot review specific data themselves and they have to reach out to site administrators/business leads.


  • Build a Custom Web API to interact with Google Analytics and enable users to post queries for analytics data directly from a SharePoint Hosted App.
  • Now site owners don’t have to request information from the site administrators/business leads.
  • Site administrators/business leads don’t have to handle the requests coming from site owners to see their site usage.



  • User navigates to the SharePoint hosted app page.
  • The SharePoint hosted app page will pass the requests based on the metric selected by the user to collect information using the custom Web API
  • The Web API will authenticate using a service account/Client ID & Secret, then interacts with Google Analytics API and receive the response from Google Analytics, returns the data back to the SharePoint hosted app page.
  • SharePoint Hosted app page will process the output received from the custom API and present the data to user in a readable way as shown below:


Disclaimer and confession
This is not a drop in solution and you have to adapt it to suit your needs: your mileage may vary and I actually learned most of what I know on this subject the past few years. I am not following best practices, but this post should get you started.

Isolating RER code logic from Provider Hosted Apps

Problem Statement

Users who have full permission on the SharePoint site can delete the mandatory provider hosted apps developed to handle remote events such as List Added, Item Added, etc.,

If the user removes this app by mistake/intentional then the logic written to handle the remote events will not get executed so it’s an overhead for the governance/monitoring job.


Deploy the mandatory apps from app catalog as explained here

Optimal Workaround


  • Remove the RER code from the List Settings App (Samples.RER.App) and configure full tenant permissions so that we can attach the RER to any Web or List across the tenant.
  • Instead of installing the List Settings app (Samples.RER.App) in all the sites, install the app only in App Store site so that we have an app principle (app id and secret) that is trusted in our tenant.
  • Don’t deploy the remote web (Samples.RER.AppWeb) that gets created with the List Settings App project (provider hosted).

         Note: I assume you do not have any functionality written on the remote web that gets created with the List Settings App.

  • Create a web project(Samples.RER.Service) that implements the IRemoteEventService interface. This essentially means it must override the methods ProcessEvent and ProcessOneWayEvent methods. Make sure that your project now has the TokenHelper.cs class also. The clientcontext object is retrieved as an app only access token. This code is different from the code that is used normally for a RER.
  • Go back to our web project(Samples.RER.Service) and plug in the App id and secret for the List Settings App in the web.config file.
  • Deploy the app web project(Samples.RER.Service) to azure.
  • Use PowerShell/C# to add/remove receivers to different sites and for different events.
  • When the event occurs, SharePoint will reach out to the WCF Service URL with the event properties object (SPRemoteEventProperties).

The advantage with this setup is that you can keep updating your web project(Samples.RER.Service) and deploy to Azure and then use PowerShell/C# to add/remove receivers to different sites and for different events. There is no need to deploy, remove, redeployment of the app to attach the receivers.

Thank you Srinivas(MS PFE) for this idea.

Hiding SharePoint Apps/Add-ins from users

Problem Statement
Users who have full control are able to delete the mandatory apps from site.

Is it possible to hide an installed/added app (in a site collection) from users with specific permissions or from a user group?

We can hide an app by embedding a JQuery custom action (jQuery(‘img[alt=”YourAppTitle”]’).closest(‘div[class^=”ms-vl-apptile”]’).hide();) but cannot hide an app from the view all site content page with a direct app permission.

How can I control/govern?
We can control the apps from app catalog site. If you have a mandatory app that should not be removed by site users with full control then follow the below steps:

  • Install the mandatory app in the app catalog site
  • Select the deployment option from the app properties as shown below


  • You will be redirected to the Manage App Deployment page
  • Specify what site collections/managed paths/site templates should have this app available and click OK.
  • Go to a site where you configured to install the app. You should be able to see the app installed.
  • Now if you look at the options in the app, you will not see the remove option. This is because the app is now controlled from the central place (app catalog).


  • Based on the configuration changes from the app catalog SharePoint will propagate the changes to the respective sites.

Hook up Google Analytics or Azure Application Insights to track SharePoint Usage

Knowing how people use your application lets you focus your development work on the scenarios that are most important to them, and gain insights into the goals that they find easier or more difficult to achieve. Google Analytics or Azure Application Insights will take you to the next level of analyzing the SharePoint Usage.

In the below example, I am going to show you how to hook up Google Analytics or Azure Application Insights tracker file to track SharePoint Usage in the site collection level using the famous Pnp Provision Engine Template.

Steps to implement

  • Extract the file and Paste the PnpCustomAction folder on your laptop/server
  • Install PnPPowerShellCommands16.msi on your laptop/server (download here – To know more about Pnp Provision Engine click here
  • Open the tracking.js(Custom JS action) file and update the script you have copied from Google Analytics or Azure Application Insights
  • Upload the tracking.js(Custom JS action) file in your CDN/SharePoint Library. In this example, I have uploaded the tracking.js file in a document library
  • Open the Template_Apply_WebCustomActions.xml file and update the URL(the place where you have uploaded the tracking.js file) mentioned in the ScriptBlock attribute under pnp:CustomAction node
  • Update the site collection URL in Deploy.ps1 file and execute
  • Navigate to different sub-sites under the site collection against where you have executed this script and make sure the tracking data are captured.

Google Report


Azure Report


Let me know if you have any queries on this.

Azure Traffic Manager for Provider Hosted Apps – Global Load Balancing

Microsoft Azure Traffic Manager allows us to control the distribution of user traffic to the specified endpoints (Zone Specific Azure Sites).

Azure Traffic Manager gives us three traffic routing methods to choose from:

  • Failover
  • Performance
  • Round robin.

We can choose the one that is right for our application or scenario.


  • Traffic Manager can improve the availability of important applications by monitoring our Azure sites and automatically directing users to a new location anytime there is a failure.
  • Traffic Manager makes applications more responsive and improves content delivery times by directing users to an Azure or external location with the lowest network latency.
  • Traffic Manager can direct user traffic to distribute it across multiple locations

Steps to load balance provider hosted apps