How to authenticate to personal OneDrive with Graph REST API

1
votes

I'm trying to write an R package to let users access the files in their OneDrive folders from R. The API is Microsoft Graph.

Everything is working fine with OneDrive for Business (which is basically SharePoint under the hood, as I understand it). However, I can't get it to work with personal OneDrive.

Custom app registration, consumers authorization endpoint

When I use an app registration under my own AAD tenant, I get the following error from the consumers AAD authorization endpoint:

AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'Consumers' and cannot access the application 'd44a05d5-c6a5-4bbb-82d2-443123722380'(AzureRtest_cli) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Custom app registration, 9188040d-6c67-4c5b-b112-36a304b66dad endpoint

From this page it appears that the token should be for the tenant 9188040d-6c67-4c5b-b112-36a304b66dad instead of the generic consumers. When I tried that, I obtained a seemingly valid token. However, talking to the https://api.onedrive.com/v1.0/drive endpoint results in a cryptic 401 error.

Azure CLI app registration, consumers endpoint

As a hack, I tried piggybacking off the Azure CLI's app registration. This fails with

AADSTS65002: Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization. Visit https://identitydocs.azurewebsites.net/static/aad/preauthorization.html for details

Azure CLI app registration, 9188040d-6c67-4c5b-b112-36a304b66dad endpoint

Finally, I tried using the CLI app registration with this tenant, which also failed:

unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.

What are the exact steps I need to do to get to my personal OneDrive?

1
azure-active-directorymicrosoft-graph-apionedrive
Looks like it doesn't treat your account as a personal account. Please share your request of acquiring the access token by calling consumers authorization endpoint.Allen Wu
@AllenWu Ah, I see I had a bug in my code; I was using 'consumers.onmicrosoft.com' instead of 'consumers'. It works nowHong Ooi
@AllenWu Just to confirm, I should talk to graph.microsoft.com to get to my personal Onedrive, not api.onedrive.com?Hong Ooi
Yes. You should call talk to graph.microsoft.com because the access token is for Microsoft Graph rather than api.onedrive.com. You have solved this issue right? Can you post an answer to help others?Allen Wu

1 Answers

0
votes

It turns out I had a bug in my code: I was using the tenant consumers.onmicrosoft.com instead of consumers. The process to communicate with Graph for personal OneDrive that worked for me was:

  • Use the authorization code flow as described here, with the following specs:
    • tenant: consumers
    • client id: for my custom app registration
    • scope: https://graph.microsoft.com/{scope} offline_access openid where the scope is one of those listed here
  • Use the API endpoint https://graph.microsoft.com/v1.0.

With regard to that last point, note that the documentation here is incorrect or at least outdated, as it still gives https://api.onedrive.com/v1.0 as the endpoint for personal OneDrive requests.