Accessing SharePoint Excel File via PowerShell App-Only (Client Secret) Returns 403

Question

Accessing SharePoint Excel File via PowerShell App-Only (Client Secret) Returns 403

Ahamed, Zahmedli 20

Hi

I recently stumbled upon this thread while trying to solve a similar issue, and I really appreciated the clear answer that was given earlier.

Link thread: https://learn.microsoft.com/en-us/answers/questions/4371676/accessing-sharepoint-excel-file-without-syncing

To recap what was discussed: the original poster was trying to access an Excel file on SharePoint without syncing, using an Azure AD app with Sites.Selected permissions and the Office365-REST-Python-Client. Despite setting up certificates and permissions correctly, they ran into a 401 Unauthorized error. The suggested solution involved using the Microsoft.Online.SharePoint.PowerShell module to manually grant API access to the specific site.

In my case, I’m running into a very similar problem, but with a few key differences:

Environment: I’m using PowerShell to access an .xlsx file stored in a SharePoint Online document library.
Authentication: My Azure AD app uses a client secret instead of a certificate.
Permissions: I’ve granted Sites.Selected API permissions in Azure and also used the SharePoint admin center to grant access to the app at the site level.
Issue: I keep getting a 403 Forbidden error when trying to retrieve or read the Excel file even after validating that the site and library are properly shared and that the app has the right permissions.

I’m wondering:

Should I follow the same approach as the earlier solution and use the Microsoft.Online.SharePoint.PowerShell module, even though I’m not using certificates?

Is there an equivalent way to grant access when using a client secret instead of a certificate?

Does the 403 error indicate a permission misconfiguration or is there something specific about accessing Excel files that I’m overlooking?

I’ve tried several combinations of permissions and access grants, but I'm still blocked. If anyone has successfully implemented a similar access model (using PowerShell + client secret + no syncing), I’d be grateful for some guidance.

Hoping you might be able to help again, Steven, as your previous response was spot on for the original question.

Thanks in advanced

1 answer

Your answer

Answer 1

Hi @Ahamend, Zahmedli

Welcome to Microsoft Q&A!

As I understand, you've created an Azure AD application and granted it the Sites.Selected API permission in Azure.
You've also configured additional access through the SharePoint Admin Center to allow the app to retrieve data (such as an Excel file) from a SharePoint site—without syncing the file.
However, when attempting to access the file via PowerShell, you're encountering a 403 Forbidden error despite having granted the necessary permissions.

You have checked a thread with similar issues and want to know if:

Do the solution provided for that thread also work with your condition, without certification required.
What does error 403 mean.

As I checked, usually error 403 meant your application authentication credential is valid but denied due to lack permissions:

User's image

Since all the configurations mentioned in the thread are at the Tenant level, they do require the highest level of admin privileges to implement.

Could you please confirm if you have the necessary permissions—such as SharePoint Admin or Global Admin—to proceed with the setup?

For if solution in the mentioned thread work with your condition:
As I checked, command Set-SPOTenant -DisableCustomAppAuthentication $false does work with client secret, as we also have a similar thread where a User wants their app to access document in SharePoint Online with client secret authentication.

However, while client secrets are currently supported, Microsoft recommends migrating to certificate-based authentication because Azure ACS will be retired in April 2026:

User's image

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Ahamed, Zahmedli 20 Reputation points

2025-08-08T01:18:13.41+00:00

I am Global Admin
Kha-N 160 Reputation points Microsoft External Staff Moderator

2025-08-08T06:14:47.7733333+00:00

Hi @Ahamed,Zahmedli,
Thank you very much for your reply.

If you're a Global Admin, you can try the steps outlined in the referenced thread and see if that helps resolve the issue.

Additionally, could you please confirm whether you've granted admin consent for your application? You can check this by navigating to:

Go to Azure AD > App registrations > "Your App" > API permissions. If the API status shows as not consented, please click "Grant admin consent".

For more detailed guidance, you can refer to this Microsoft Learn article.

Note that while doing additional researching on your topic, there is an article that suggest client secret might not work despite you have followed the steps in the mentioned thread:

As a forum moderator, my ability to provide a definitive solution is limited due to restricted access to your specific environment and diagnostic tools. However, I’m committed to helping as much as I can by sharing insights and resources based on available documentation.

Let me know how it goes or if you need further clarification, I’m here to assist you!
Kha-N 160 Reputation points Microsoft External Staff Moderator

2025-08-12T01:16:06.4066667+00:00

Hi @Ahamed,Zahmedli,

Just following up to see if the information above was helpful.

If you have any updates or further questions regarding this issue, feel free to share them here. I'm happy to assist further.

Share via

Accessing SharePoint Excel File via PowerShell App-Only (Client Secret) Returns 403

1 answer

Your answer