You can interact with Microsoft 365 Applications—namely Microsoft OneDrive, Microsoft Teams, and SharePoint—by calling the Microsoft Graph API through PROC HTTP. This blog provides detailed step-by-step instructions about how to call the Microsoft Graph API through PROC HTTP and is supplemented by a GitHub repository.
Needed Components for Microsoft 365 Integration in SAS
- a Microsoft 365 app registration (client ID, tenant, and delegated permissions to Microsoft Graph)
- a configuration file (config.json) that contains the app registration information
- the macro library that contains all the macros needed to get connected and gives a foundation for further code examples (ms-graph-macros.sas)
- network access from SAS to Microsoft Graph endpoints
SAS Workflow Using Auth Code Flow
There are two ways that you can authorize your credentials while connecting to Microsoft 365: Auth Code Flow or Device Code Flow. Microsoft recently made a change with the Auth Code Flow in which a problem might occur where the authorization code is harder to obtain.
When you collect the code needed to authenticate from the browser, you have only a short period of time to get the code from the URL before the browser automatically navigates to a different URL. During this process, the following message might be displayed:
The GitHub repository provides a PowerShell sample that automates the code return, which simplifies this process.
SAS Workflow Using Device Code Flow
Once you configure the app by following the instructions outlined in the blog, the steps to authenticate using Device Code Flow are simple and consistent. Using the macro library shared in the GitHub repository, the SAS code sequence to authenticate with Device Code Flow is as follows:
%let src=<where your ms-graph-macros.sas file is stored>;
%include "&src./ms-graph-macros.sas";
/* Load application configuration */
%initConfig(configPath=<where your config.json file is stored>);
/* Begin device code authentication */
%generateDeviceCode();
/* Confirm the device code after completing sign-in*/
%confirmDeviceCodeToken();
/* Initialize the Microsoft 365 session for Graph API calls */
%initSessionMS365;
Important Notes Regarding Device Code Flow
Some tenants might restrict Device Code Flow entirely or allow it for only Intune-managed devices. It is also important to note that, in order to use Device Code Flow, you must enable Allow public client flows in the Azure app registration. Enabling this option is an easy change that you can make by completing the following steps:
- Navigate to App Registrations within Azure.
- Select your app.
- Click the Authentication (Preview) menu in the left pane under Manage.
- Click Settings.
- Then, toggle the Allow public client flows option to Enabled.
Summary
In summary, integrating SAS programs with Microsoft OneDrive or SharePoint opens the door to powerful automation and file management capabilities within SAS workflows. To authenticate, you can choose between the Auth Code Flow and the Device Code Flow.
Due to recent Microsoft updates, the Auth Code Flow now has some additional complications. When you collect the code that is needed to authenticate from the browser, you have only a short period of time to get the code from the URL before the browser automatically navigates to a different URL. During this process, a window might be displayed that contains an anti-phishing warning. This blog post and GitHub repository provide a PowerShell script workaround, which enables you to continue using the Auth Code Flow without needing to worry about the short window of time to collect the code.
If permitted by the organization’s tenant settings, the Device Code Flow is generally the simpler of the two authentication methods, but both flows are viable options for authentication.