Access SharePoint Online files from daemon app

0
votes

Is it possible for a daemon app (app only, no authenticated user) to access SharePoint Online content via the Microsoft Graph API? If not, what are my options?

I tried:

https://graph.microsoft.com/v1.0/drives/<id>

But got access denied.

Accessing drive in Office 365 Groups works via:

https://graph.microsoft.com/v1.0/groups/<id>/drive

This is how I retrieve the authorization token:

https://login.microsoftonline.com/<tenant id>/oauth2/token
resource=https://graph.microsoft.com
grant_type=client_credentials
client_id=<client id>
client_secret=<client secret>
2
office365sharepoint-onlinemicrosoft-graph-api

2 Answers

0
votes

The reason that you can read the group files is that the app-only token has the Group.Read.All rule. There is no such app-only scope like Files.Read.All to permits the app read all the files on the SharePoint online site.

At present, the Microsoft Graph API only support to get the files belongs himself/herself or the files others share to himself/herself using the delegate token.

If you want the app get the files doesn't user login-in, a possible workaround is that you can get the access token and refresh token manually at the first time and save them in the app. Then you can call the REST API with access token, and renew the access token/refresh token when it is expired.

You may submit the feedback from here if you require this feature.

0
votes

Have you checked Build service and daemon apps in Office 365. The basic idea is to create a Azure AD App to use App-only token. The following is a summary of steps:

  • Create your Azure AD App
  • Create a certificate to secure your token request process. You need to update certificate information in Azure AD App manifest file.
  • Configure Azure AD App's configuration to allow certain permission under "Application Permissions" list.

By using App-only token, your application can behalf of other uses inside your Azure AD. You can call https://graph.microsoft.com/v1.0/{user's UPN or ID}/drive/root/children to get that user's files based on Graph API. I have tried this approach to access the content inside the SharePoint lists and doc libraries. When I updated the list item or documents, the "Modified By" was shown to that Azure AD App's name. I also used the same approach to access outlook to send email on behalf of an service account. For detail, please reference to Send email on behalf of a service account using Office Graph API

I hope it helps and let me know if you have questions for app-only token configurations.