0

I am trying to share a file from OneDrive using Microsoft Graph API and then allow another user to download it. However, when I attempt to download the file using the shared link, I receive a 403 Access Denied error.

User 1 creates a share link using:

POST https://graph.microsoft.com/v1.0/me/drive/items/{ItemId}/createLink
Authorization: Bearer {accessToken}
Content-Type: application/json

Request Body:

{
    "type": "edit", 
    "scope": "anonymous"
}

Result:

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.permission",
    "id": "Id",
    "roles": [
        "write"
    ],
    "shareId": "ShareID",
    "hasPassword": false,
    "link": {
        "scope": "anonymous",
        "type": "edit",
        "webUrl": "ShareUrl",
        "preventsDownload": false
    }
}

now as user 2 was trying to download the link with 
https://graph.microsoft.com/v1.0/shares/ShareID/driveItem/content
it returned
{
    "error": {
        "code": "accessDenied",
        "message": "Access denied"
    }
}

Troubleshooting done so far:

  • Verified that the access token is valid and contains All permissions
  • Confirmed that the file is accessible via the web browser when using webUrl from the createLink response
  • Tried creating the link with "scope": "anonymous" and "scope": "organization" (both resulted in the same issue)
  • Encoded the share URL as per Microsoft documentation
  • Used both delegated and application permissions, but the issue persists

Is there any permissions missing here I have given access to all Files.ReadWrite, Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All in my azure.Portal. Is there any new API needed for this to work? Also I tried with the organization as Scope as both user comes under the same organization. Both users are Delegated Users.

Link For Downloading the shared File

Permissions needed in the download api

this is the permissions required in the download Api

now i will also include the Azure portal permisiion for my applications this has permisiions involving files

this has permisiions involoving sites

Improve this question
10
  • Could you pls share the screenshot of your API permission blade and edit the question? Commented Jan 31 at 5:13
  • I have updated the question with the required permissions ,I am new to this Graph api concept and this is my first question as well . Commented Feb 3 at 6:32
  • Could you pls confirm which license does User-2 had means Office 365 E3 license or Office 365 E5 license? Commented Feb 3 at 7:08
  • i contacted My admin and found out that the User2 has M365 business basic license Commented Feb 4 at 5:17
  • 1
    The approach mentioned above is working; I tested it with Postman. Now, I'll check its compatibility with my enterprise software. Commented Feb 6 at 9:50

2 Answers 2

Reset to default
0

"error": { "code": "accessDenied", "message": "Access denied" }

This error message occurs because of User 2 is trying to download the file using /shares/{ShareID}/driveItem/content endpoint and you generated anonymous sharing link which allow access to anyone without needing to sign-in this may also include people outside of your organization also and which is meant for browser-based (webUrl) authentication not for API access.

NOTE: The Microsoft Graph API doesnot allow API based access to files which are shared via anonymous links.

Registered Single-Tenant Microsoft Entra ID Application, Added and granted delegated type Files.ReadWrite.All API permission:

enter image description here

Generated access token using authorization_code flow using below parameters:

Firstly, To get code, I ran below authorization request in browser:


https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize? 
&client_id=<app_id>
&client_secret = <client_secret>
&redirect_uri= https://jwt.ms
&response_type=code  
&response_mode=query  
&scope=https://graph.microsoft.com/.default

enter image description here

POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token 
client_id=<app_id>
client_secret = <client_secret>
redirect_uri= https://jwt.ms
code=<code which generated from browser>
scope= https://graph.microsoft.com/.default
grant_type = authorization_code

enter image description here

Now, Created shared link:

POST https://graph.microsoft.com/v1.0/me/drive/items/{ItemId}/createLink
Authorization: Bearer {accessToken}
Content-Type: application/json

Body:JSON

{
    "type": "edit", 
    "scope": "anonymous"
}

enter image description here

  1. To allow User 2 to download the file use direct webUrl method .

Share that generated webUrl with User 2 and ask to paste it on browser:

enter image description here

  1. Use below endpoint and share @microsoft.graph.downloadUrl:
Authorization: Bearer {accessToken}
Content-Type: application/json

GET   https://graph.microsoft.com/v1.0/shares/ShareID/driveItem

enter image description here

References:

sharingLink Resource

download DriveItem Content

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I found a solution, involving User 2 is Given permission fom User 1 to the File by

Invite

https://graph.microsoft.com/v1.0/me/drive/items/<itemid>/invite
Body:JSON
{
  "recipients": [
    {
      "email": "Mail Of User 2"
    }
  ],
  "message": "Here's the file that we're collaborating on.",
  "requireSignIn": true,
  "sendInvitation": false,
  "roles": [ "write" ]
}

With this, User2 can download the file at any time without worrying about expiration. using
GET /shares/{shareIdOrEncodedSharingUrl}/driveItem/content https://graph.microsoft.com/v1.0/shares/{shareid}/driveItem/content
this will download the file as user 2 was given permission to the file

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.