5
votes

I'm trying to download files from OneDrive using the Microsoft Graph. I'm currently in the testing phase and have not yet written any code.

Here is what I did so far:

  1. Created and registered an app through https://apps.dev.microsoft.com
  2. Generated a secret, enabled implicit flow
  3. Provided it with the following list of Microsoft Graph Permissions:

    Delegated: Files.ReadWrite.All, offline_access, Group.ReadWrite.All, Directory.ReadWriteAll, User.ReadWriteAll

    Application: Directory.ReadWrite.All, Files.ReadWrite.All, Group.ReadWrite.All, User.ReadWrite.All

    1. Used the code flow with a scope of offline_access and Files.ReadWrite.All, got a code and then a token.

    2. Using this token to download a file via /me drive works well (/v1.0/me/drive/items/itemid/content), but when I try to download or just query other users I get back the error of insufficient privileges.

Calling https://graph.microsoft.com/v1.0/users gets the response:

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "cee06586-12af-4768-9135-b9709d7ecb5d",
      "date": "2018-05-29T14:45:48"
    }
  }
}

The same happens when I add a user Id. When I ask to get the user's device I get a "not found" response.

I saw some answers to similar questions saying that I should add permissions to my app to Azure Active Directory via the Azure portal, but my app is listed only in the "Enterprise application" section and I don't see it on the "app registrations" section where I can add permissions, in the Enterprise applications section I'm unable to add any permissions, only search.

Note: my user id is the global admin in the Azure portal. This user also is the user that created and owns the application.

Any idea what I may be missing here?

Thanks

Edit:

I was able to make some progress, I tried to create the app via the Azure portal and not the applications portal. Now it shows in the app registration page so I was able to add permissions to it.

So now I'm able to view all the users, but still, when I try to view their drive I get the "not found" response:

Calling https://graph.microsoft.com/v1.0/users/userid/drive returns the response:

{
  "error": {
    "code": "itemNotFound",
    "message": "The resource could not be found.",
    "innerError": {
      "request-id": "ec6ed197-15ea-498a-80d0-e2a9f832a0b9",
      "date": "2018-05-29T15:49:18"
    }
  }
}
2
Can your user access other people's drives? The token you get via authorization code flow is app+user, meaning the app and user must both have access to a resource to get access.juunas
You can also double-check that the access token contains the necessary scopes at jwt.ms, though the /me/drive call should fail if the scopes were not valid.juunas
@juunas - My user is the global admin so should be able to access other people's drive, as far as I understand. How can I check?Shira Ben-Dor
Right, that is pretty odd. You can try using the Graph Explorer at graph.microsoft.iojuunas

2 Answers

1
votes

Calling /users requires you have at least User.ReadBasic.All or User.Read.All permissions. Since you've only requested Files.ReadWrite.All, you do not have sufficient access to via other user's profiles.

Try against using the scope:

User.Read.All+Files.ReadWrite.All+offline_access
0
votes

OK I managed to resolve this by asking the token without a user : https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service. It how has all the required privileges and I'm able to download any file that I need. Thanks to Marc and Juunas for helping me with this.