If your work environment is like ours here at SAS, you're seeing more of your data and applications move to the cloud. It's not yet a complete replacement for having local files on your desktop machine, but with cloud storage and apps -- like Microsoft OneDrive -- I can now access my work documents from any browser and any device, including my smartphone. I can update now my spreadsheets while waiting in the dentist office. Oh joy.
For those of us who use SAS to read and create Microsoft Excel documents, cloud-based files can add an extra wrinkle when we automate the process. It also adds some exciting possibilities! The Microsoft 365 suite offers APIs to discover, fetch, and update our documents using code. In this article, I'll show you how to use SAS programs to reach into your Microsoft OneDrive (or SharePoint Online) cloud to read and update your files. Note: All of this assumes that you already have a Microsoft 365 account -- perhaps provisioned by your IT support team -- and that you're using it to manage your documents.
Before I go on, I have to give major credit to Joseph Henry, the SAS developer who maintains PROC HTTP. Joseph did the heavy lifting for putting together the code and examples in this article. He also regularly adds new features to PROC HTTP that make it a more natural fit for calling REST APIs that require special authentication flows, such as OAuth2.
Note: I've updated this article several times to include detailed steps and "gotchas." I've added use cases for SharePoint Online and Microsoft Teams. I wrote a comprehensive paper for SAS Global Forum 2020. And I also recorded a 25-minute video (posted on SAS Support Communities) that shows all of the steps that I followed.
Click to watch the video tutorial.
Using SAS with Microsoft 365: an overview
Microsoft 365 uses an OAuth2-style authentication flow to grant access and permissions to third-party apps. If you're accustomed to the simpler style of just user/password authentication (ah, those were the days), OAuth2 can be intimidating. Joseph Henry does a great job of deconstructing OAuth2 -- with code samples -- in this SAS Global Forum paper.
When we're writing SAS programs to access Microsoft OneDrive or SharePoint, we're actually writing a third-party app. This requires several setup steps, a few of which cannot be automated. Fortunately, these need to be done just once, or at least infrequently. Here's an outline of the steps:
- Register a new client application at the Microsoft Azure Portal. (You will need to sign in with your Microsoft 365 credentials, which might be your primary organization credentials if you have single-signon with Active Directory.)
- Using your browser while you are signed into Microsoft 365, navigate to a special web address to obtain an authorization code for your application.
- With your authorization code in hand, plug this into a SAS program (PROC HTTP step) to retrieve an OAuth2 access token (and a refresh token).
- With the access token, you can now use PROC HTTP and the Microsoft 365 APIs to retrieve your OneDrive folders and files, download files, upload files, and replace files.
You'll have to complete Step 1 just once for your application or project. Steps 2 and 3 can be done just once, or at least just occasionally. The access token is valid for a limited time (usually 1 hour), but you can always exchange the refresh token for a new valid access token. This refresh token step can be automated in your program, usually run just once per session. Occasionally that refresh token can be revoked (and thus made invalid) when certain events occur (such as you changing your account password). When that happens, you'll need to repeat steps 2 and 3 to get a new set of access/refresh tokens.
Oh, and by the way, even though the examples in this article are specific to OneDrive, the exact same authentication flow and steps can be used for all of the Microsoft 365 APIs. Have fun with Outlook, Teams, Excel, and all of your favorite cloud-based Microsoft apps.
Step 1: Register your application
Visit the Microsoft Application Registration portal to register your new app. You'll sign in with your Microsoft 365 credentials.
Microsoft Application Registration portal
Click New Registration to get started. This presents you with a form where you can complete the details that define your app. Mainly, you're giving it a name and defining its scope. You'll probably want to limit its use to just your organization (your company) unless you're collaborating with colleagues who work elsewhere.
"Register an application" form
As you register your application, you also need to provide a redirect URL for the authorization flow. In our example, our app is considered "Public client/native (mobile/desktop)." The standard URL to indicate this is:
https://login.microsoftonline.com/common/oauth2/nativeclient
In the Redirect URI section, select this option and specify this URL value.
Redirect URI Selections
When you create an app, you'll receive a Client ID (unique to your app) and Tenant ID (unique to your organization). You'll need these values to obtain your authorization code and tokens later. The application portal provides a sort of control center for all aspects of your app. (Note: I masked out my client ID and tenant ID in this screenshot.)
Details for my sample application
Specifying your app permissions
Your app will need specific permissions in order to function. In my example, I want my SAS program to read documents from my OneDrive, and also add new docs and update existing docs. The permissions I need are:
- Files.ReadWrite.All: Allows the app to read, create, update and delete all OneDrive files that you can access.
- User.Read: Allows you to sign in to the app with your organizational account and let the app read your profile.
- Sites.ReadWrite.All (if using SharePoint): Allows the app to read, create, update and delete SharePoint Online files for sites that you can access.
To add these to your app, click the API Permissions tab in the control center. To be clear, these are not permissions that your app will automatically have. These are the permissions that will be requested when you "sign into" the app for the first time, and that you'll have to agree to in order for the app to run.
Adding permissions that the app needs
Permission types have their own terminology that is important to understand:
-
Delegated versus Application Permissions: In our example, we are sticking to Delegated permissions, which allow the application to take actions on behalf of the signed-in user and provides access to the user's data. However, some use cases require use of Application permissions, which allow the application to take actions without a signed-in user and potentially access data across the system and different users.
-
Admin Consent Required: Some permissions cannot be delegated or granted without the approval of an administrator. This restriction permits the organization to maintain oversight of the important resources that might be accessed by the application and to prevent unauthorized uses. The Microsoft Azure Portal provides an easy way for you to submit a request to an admin, so you can get the permissions that you need. However, I recommend that you follow up (or better yet, precede this) with a formal request to your IT support staff to state what you need and your business case. In my experience, this helps to expedite the process. A good working relationship with IT is important for any SAS user!
The documentation for the Microsoft Graph API provides a comprehensive list of the permission names, whether they are Delegated or Application level, and whether Admin Consent is required. This documentation also includes a helpful 4-minute video on the topic.
Possibly required: Obtaining admin consent
We're creating an app that hooks into your enterprise productivity suite -- and that's usually the domain of IT professionals. At SAS we are a tech company with many "citizen app developers", so our IT grants us more latitude than you might find at other places. But even at SAS, "normal" employees can't just create apps and empower them with access to our data. We have a process.
Because it's a common request, our IT folks created a form that makes it easy for them to review requests for new apps in our Microsoft 365 environment. The form asks:
- Your app name (“SAS via PROC HTTP” for mine)
- Your App (client) ID
- Grant type – my instructions assume "Authorization code grant type"
- Whether you need additional Delegated API permissions: Most need 'Files.ReadWrite.All' for OneDrive, 'Sites.ReadWrite.All' for SharePoint (in addition to the default 'User.Read').
- Whether your app needs Application Permissions. (Note: Answering YES here will trigger more scrutiny.)
Creating a configuration file
There are a few app-specific values that we'll need to reference throughout the SAS programs we're writing. I decided to create a configuration file for these settings rather than hard-code them into my SAS statements. This will make it easier for other people to reuse my code in their own applications.
I created a file named config.json that looks like this (but with different tenant_id and client_id values):
{
"tenant_id": "206db638-6adb-41b9-b20c-95d8d04abcbe",
"client_id": "8fb7804a-8dfd-40d8-bf5b-d02c2cbc56f3",
"redirect_uri": "https://login.microsoftonline.com/common/oauth2/nativeclient",
"resource" : "https://graph.microsoft.com"
}
By "externalizing" the IDs specific to my account/instance, I can use SAS code to read the values at run time. Note: This code, like all of the code in this article, uses features from SAS 9.4 Maintenance 5.
/*
Set the variables that will be needed through the code
We'll need these for authorization and also for runtime
use of the service.
Reading these from a config.json file so that the values
are easy to adapt for different users or projects.
*/
%if %symexist(config_root) %then %do;
filename config "&config_root./config.json";
libname config json fileref=config;
data _null_;
set config.root;
call symputx('tenant_id',tenant_id,'G');
call symputx('client_id',client_id,'G');
call symputx('redirect_uri',redirect_uri,'G');
call symputx('resource',resource,'G');
run;
%end;
%else %do;
%put ERROR: You must define the CONFIG_ROOT macro variable.;
%end; |
Step 2: Obtain an authorization code
Now that I've defined the application, it's time to "sign into it" and grant it the permission to read and manage content in OneDrive. This step needs to be completed from a web browser while I am signed into my Microsoft 365 account. The web address is very long...but we can use a SAS program to generate it for us.
/* location of my config file */
%let config_root=/folders/myfolders/onedrive;
%include "&config_root./onedrive_config.sas";
/* Run this line to build the authorization URL */
%let authorize_url=https://login.microsoftonline.com/&tenant_id./oauth2/authorize?client_id=&client_id.%nrstr(&response_type)=code%nrstr(&redirect_uri)=&redirect_uri.%nrstr(&resource)=&resource.;
options nosource;
%put Paste this URL into your web browser:;
%put -- START -------;
%put &authorize_url;
%put ---END ---------;
options source; |
This produces these output lines in the SAS log:
Paste this URL into your web browser:
-- START -------
https://login.microsoftonline.com/206db638-6adb-41b9-b20c-95d8d04abcbe/oauth2/authorize?client_id=8fb7804a-8dfd-40d8-bf5b-d02c2cbc56
f3&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient&resource=https://graph.microsoft.com
---END ---------
Copy and paste the URL (all on one line, no spaces) into the address bar of your web browser. When you press Enter, you'll be prompted to grant the required permissions:
Once you click Accept, the browser will redirect to what looks like a blank page, but the URL contains the authorization code that we need:
Copy the value that appears after the code= in the URL, only up to the &session= part. It's going to be a very long string -- over 700 characters. We'll need that value for the next step.
Note: if you don't see the permissions prompt but instead see something like this:
App needs permission to access resources
Then you probably need to work with your IT support to grant consent for your app. See the section "Possibly required: Obtaining admin consent" above.
Step 3: Obtain an access token
My colleague Joseph wrote a few convenient utility macros that can help manage the access token and refresh token within your SAS session. These macros include:
- %get_token - get the initial access and refresh tokens, given an authorization code. Remember, an access token will expire in about 60 minutes. But the refresh token can be used to get a renewed access token.
- %refresh - exchange a valid refresh token for a new access token
- %process_token_file - read/update an external token file so that these values persist beyond your current SAS session.
I'm not going to walk through the macro code in this article, but the SAS programs are straightforward and well-documented. See "How to get this example code" at the end of this article.
With these macros in place, we can paste the (very long) authorization code we retrieved in the previous step into a macro variable. Then we can run the %get_token macro to generate the tokens and store them in a local file.
%let config_root=/folders/myfolders/onedrive;
%include "&config_root./onedrive_config.sas";
%include "&config_root./onedrive_macros.sas";
filename token "&config_root./token.json";
%let auth_code=AQABAAIAAAC5una0EUFgTIF8ElaxtWjTqwohjyfG; * and much more;
/*
Now that we have an authorization code we can get the access token
This step will write the tokens.json file that we can use in our
production programs.
*/
%get_token(&client_id.,&auth_code,&resource.,token,tenant=&tenant_id); |
Running this step will create a new file, token.json, in your designated config folder. Here's an screenshot of what my version looks like right now:
It's very important that you keep this file secure. With the information in this file (your refresh token) and your conf.json file (with your client ID and tenant ID), anyone can use these code techniques to impersonate you and access your Microsoft 365 data. There are techniques for storing these files such that only you can see them.
Using Microsoft 365 APIs to access OneDrive from SAS
Whew! I've spent nearly 1500 words to get this far, so thanks for sticking with me. The good news is that these steps take much longer to describe than to actually execute. Plus, creating apps is fun! (Right?)
From the screenshots I've shared, you probably already noticed that these services are working on Microsoft Azure, which is Microsoft's cloud platform for applications. For the remainder of this article, I'll be using methods from the Microsoft Graph API. This REST-based API provides access to almost all of Microsoft's hosted services. For my examples, I'll be using methods within the Files component of the API: Drives and Drive Items (folders and files).
You can explore and try the Microsoft 365 APIs with the Graph Explorer application from Microsoft. If you sign in with your own account, you can use the APIs with your own data. This is a great way to try these APIs and discover the correct methods to use before implementing them in your SAS code.
Example from a Graph Explorer session
Initializing and refreshing the access token in a new session
Now that we have the access and refresh tokens, we can get down to business with some actual OneDrive interactions. Here's how to initialize your SAS session with the tokens.
%let config_root=/folders/myfolders/onedrive;
%include "&config_root./onedrive_config.sas";
%include "&config_root./onedrive_macros.sas";
/*
Our json file that contains the oauth token information
*/
filename token "&config_root./token.json";
%process_token_file(token);
/* If this is first use for the session, we'll likely need to refresh */
/* the token. This will also call process_token_file again and update */
/* our token.json file. */
%refresh(&client_id.,&refresh_token.,&resource.,token,tenant=&tenant_id.);
/*
At this point we have a valid access token and we can start using the API.
*/ |
If all goes well, we'll have our access token, and it will be stored in a macro variable named &access_token. It's going to be another long and illegible (>700 characters) value.
(Ever hear of the "infinite monkey theorem?" That a monkey hitting a typewriter for an infinite amount of time is certain to produce a certain text, such as the complete works of Shakespeare? Well, that monkey is not going to produce this access token. Plus, who has a typewriter anymore?)
Retrieving the top-level drive identifier (OneDrive)
We'll need to explore the OneDrive system from the top-down, using code. First, we need the identifier for the root drive. It's possible for you to have multiple root drives, and if that's the case for you, you'll need to modify this code a bit. This code queries the service for your drives, and stores the identifier for just the first drive in a macro variable. We'll need that identifier later to retrieve a list of top-level items.
/*
First we need the ID of the "drive" we are going to use.
to list the drives the current user has access to you can do this
*/
filename resp TEMP;
/* Note: oauth_bearer option added in 9.4M5 */
proc http url="https://graph.microsoft.com/v1.0/me/drives/"
oauth_bearer="&access_token"
out = resp;
run;
libname jresp json fileref=resp;
/*
I only have access to 1 drive, but if you have multiple you can filter
the set with a where clause on the name value.
This creates a data set with the one record for the drive.
*/
data drive;
set jresp.value;
run;
/* store the ID value for the drive in a macro variable */
proc sql noprint;
select id into: driveId from drive;
quit; |
Note that this code uses the new OAUTH_BEARER option in PROC HTTP -- a convenient addition when working with OAuth2-compliant APIs. This is shorthand -- and more intuitive syntax -- for placing "Authorization: Bearer TOKEN-VALUE" in the HTTP headers.
Retrieving the top-level drive identifier (SharePoint Online)
The steps for SharePoint Online are nearly the same as for OneDrive, except that we need to reference the site hostname (yoursite.sharepoint.com, for example) and the /sites resource (instead of the /me/drives resource).
/* Note: oauth_bearer option added in 9.4M5 */
/* Using the /sites methods in the Microsoft Graph API */
/* May require the Sites.ReadWrite.All permission for your app */
/* Set these values per your SharePoint Online site.
Ex: https://yourcompany.sharepoint.com/sites/YourSite
breaks down to:
yourcompany.sharepoint.com -> hostname
/sites/YourSite -> sitepath
This example uses the /drive method to access the files on the
Sharepoint site -- works just like OneDrive.
API also supports a /lists method for SharePoint lists.
Use the Graph Explorer app to find the correct APIs for your purpose.
https://developer.microsoft.com/en-us/graph/graph-explorer
*/
%let hostname = yourcompany.sharepoint.com;
%let sitepath = /sites/YourSite;
proc http url="https://graph.microsoft.com/v1.0/sites/&hostname.:&sitepath.:/drive"
oauth_bearer="&access_token"
out = resp;
run;
libname jresp json fileref=resp;
/*
This creates a data set with the one record for the drive.
Need this object to get the Drive ID
*/
data drive;
set jresp.root;
run;
/* store the ID value for the drive in a macro variable */
proc sql noprint;
select id into: driveId from drive;
quit; |
Retrieve a list of top-level folders/files
With the drive identifier in hand (whether OneDrive or SharePoint), I can use the /children verb on the Microsoft Graph API to get a list of all of the top-level objects in that drive. These represent the folders and files that are at the root.
/*
To list the items in the drive, use the /children verb with the drive ID
*/
filename resp TEMP;
proc http url="https://graph.microsoft.com/v1.0/me/drives/&driveId./items/root/children"
oauth_bearer="&access_token"
out = resp;
run;
libname jresp json fileref=resp;
/* Create a data set with the top-level paths/files in the drive */
data paths;
set jresp.value;
run; |
Here's what I'm keeping in my OneDrive right now. It's not too disorganized, is it?
List the files in a particular folder
If I'm interested in exploring a particular folder, I'll need to find the folder identifier as it's known to OneDrive. Using PROC SQL and SELECT INTO, I can find the folder by its name and store its ID in another macro variable. Then, I use the /children verb again, but this time with the folder ID instead of the "root" constant.
/*
At this point, if you want to act on any of the items, you just replace "root"
with the ID of the item. So to list the items in the "SASGF" folder I have:
- find the ID for that folder
- list the items within by using the "/children" verb
*/
/* Find the ID of the folder I want */
proc sql noprint;
select id into: folderId from paths
where name="SASGF";
quit;
filename resp TEMP;
proc http url="https://graph.microsoft.com/v1.0/me/drives/&driveId./items/&folderId./children"
oauth_bearer="&access_token"
out = resp;
run;
/* This creates a data set of the items in that folder,
which might include other folders.
*/
libname jresp json fileref=resp;
data folderItems;
set jresp.value;
run; |
Here are the items from my SASGF folder. Can you tell that I don't throw anything away?
Download a file from OneDrive and import into SAS
I know that I keep a spreadsheet named "sas_tech_talks_18.xlsx" in this SASGF folder. With the /content verb, I can download the file from OneDrive and store it in the file system that is local to my SAS session. Then, I can use PROC IMPORT to read it into a SAS data set.
/*
With a list of the items in this folder, we can download
any item of interest by using the /content verb
*/
/* Find the item with a certain name */
proc sql noprint;
select id into: fileId from folderItems
where name="sas_tech_talks_18.xlsx";
quit;
filename fileout "&config_root./sas_tech_talks_18.xlsx";
proc http url="https://graph.microsoft.com/v1.0/me/drives/&driveId./items/&fileId./content"
oauth_bearer="&access_token"
out = fileout;
run;
/* Import the first sheet into a SAS data set */
proc import file=fileout
out=sasgf
dbms=xlsx replace;
run; |
Boom! I've just downloaded my data from the cloud and brought it into my SAS session.
Add a new file to OneDrive
We can build wonderful documents from SAS too, and it's important to be able to share those. By using the PUT method with the /content verb, we can copy a file from the local SAS session into a target folder on OneDrive. Most often, this will probably be an Excel spreadsheet or maybe a PDF report. (But hey, maybe it's a good opportunity to try out the new ODS WORD destination in SAS 9.4 Maint 6?)
/*
We can upload a new file to that same folder with the PUT method and /content verb
Notice the : after the folderId and the target filename
*/
/* Create a simple Excel file to upload */
%let targetFile=iris.xlsx;
filename tosave "%sysfunc(getoption(WORK))/&targetFile.";
ods excel(id=upload) file=tosave;
proc print data=sashelp.iris;
run;
ods excel(id=upload) close;
filename details temp;
proc http url="https://graph.microsoft.com/v1.0/me/drives/&driveId./items/&folderId.:/&targetFile.:/content"
method="PUT"
in=tosave
out=details
oauth_bearer="&access_token";
run;
/*
This returns a json response that describes the item uploaded.
This step pulls out the main file attributes from that response.
*/
libname attrs json fileref=details;
data newfileDetails (keep=filename createdDate modifiedDate filesize);
length filename $ 100 createdDate 8 modifiedDate 8 filesize 8;
set attrs.root;
filename = name;
modifiedDate = input(lastModifiedDateTime,anydtdtm.);
createdDate = input(createdDateTime,anydtdtm.);
format createdDate datetime20. modifiedDate datetime20.;
filesize = size;
run; |
Replace/update a file in OneDrive
If you want to replace an existing file, then you'll want to perform the additional step of retrieving the unique ID for that file from OneDrive. When you PUT the new version of the file into place, its history and sharing properties should remain intact. Here is my code for navigating the folder/file structure in my OneDrive and finally replacing an existing file.
/*
If you want to replace a file instead of making a new file
then you need to upload it with the existing file ID. If you
don't replace it with the existing ID, some sharing properties
and history could be lost.
*/
/* Create a simple Excel file to upload */
%let targetFile=iris.xlsx;
filename tosave "%sysfunc(getoption(WORK))/&targetFile.";
ods excel(id=upload) file=tosave;
proc print data=sashelp.iris;
run;
ods excel(id=upload) close;
/* Navigate the folder and file IDs from my OneDrive */
proc sql noprint;
select id into: folderId from paths
where name="SASGF";
quit;
proc http url="https://graph.microsoft.com/v1.0/me/drives/&driveId./items/&folderId./children"
oauth_bearer="&access_token"
out = resp;
run;
libname jresp json fileref=resp;
data folderItems;
set jresp.value;
run;
/* Find the ID of the existing file */
proc sql noprint;
select id into: fileId from folderItems
where name="iris.xlsx";
quit;
libname attrs json fileref=details;
proc http url="https://graph.microsoft.com/v1.0/me/drives/&driveId./items/&fileId./content"
method="PUT"
in=tosave
out=details
oauth_bearer="&access_token";
run; |
As you can see from my OneDrive history for this file, I've tested this program a few times -- resulting in 23 revisions of this file in its history!
How to get this example code
You can find the source files for these examples on GitHub.
I've organized this code into 5 different files in order to make it easy to reuse:
- onedrive_config.sas - read the fields from the conf.json and set them as global macro variables. This includes your client_id and tenant_id.
- onedrive_setup.sas - the SAS statements that represent code you will need to run just once to get your authorization code and first access code.
- onedrive_macros.sas - three utility macros that help you to create, refresh, and manage your access token and refresh token in your token.json file
- onedrive_example_use.sas - sample SAS steps that I used in this article. They won't quite work for you as-is, since you don't have the same files that I do. (Unless you do have the same files, in which case...creepy.) My hope is that you can read and adapt them for your own content.
- onedrive_sharepoint_example.sas - sample SAS steps for reading and writing files with SharePoint Online. The basic steps are the same as for OneDrive, except that you use the /sites resource instead of the OneDrive-specific methods.
I also included a template for the conf.json file, with obvious placeholders for the client_id and tenant_id that you'll substitute with your own values. You'll also need to change the statements that define &CONFIG_LOC -- the location of your configuration directory where you're storing these files. I developed these examples in SAS University Edition -- yes, this works there! I also ran the code from my full SAS environment via SAS Enterprise Guide.
More about using REST APIs from SAS
This has been a monster article -- in terms of its length. But I hope it's clear enough to follow and has sufficient detail for you to try this on your own. If you have questions, post in the comments.
I've published a number of other articles about using REST APIs from SAS -- it's one of my favorite things to do. Check out:
The post Using SAS with Microsoft 365 (OneDrive, Teams, and SharePoint) appeared first on The SAS Dummy.
