Search code examples
azureonedrivemicrosoft-graph-api

Access AD users OneDrive for Businesses through Microsoft Graph in app-mode

Is it possible to use the Microsoft Graph API to access a users OneDrive for Business folders and files when running in app-mode?

I've successfully configured the app in Azure AD (with certificate, etc.), I've been able to get bearer token and I've also successfully requested data from certain endpoints. However: I am are not able to work with the users OneDrive for Business folders or files.

In other cases I’ve been using a service account (a user account with full administrative privileges) to perform CRUD operations on folders and files in the users OneDrives, but this requires me to check (and set) permissions on all folders and files before any CRUD operation and also exposes the service account to the users in file and folder permission settings. With the Graph API in app-mode I assume that all these issues goes away?

I have some examples on what works, and more importantly, some that doesen’t:

  • graph.microsoft.com/v1.0/users
    Returns a list of users without issues.

  • graph.microsoft.com/v1.0/users/UPN-PLACEHOLDER
    Returns information about the specified user without issues.

  • graph.microsoft.com/v1.0/users/UPN-PLACEHOLDER/drive
    Returns information about the specified users drive without issues.

  • graph.microsoft.com/v1.0/users/UPN-PLACEHOLDER/drive/root
    Returns information about the specified users drive root without issues.

  • graph.microsoft.com/v1.0/users/UPN-PLACEHOLDER/drive/root/children
    Does not return information about the specified users drive root children as expected.

  • graph.microsoft.com/v1.0/drives/UPN-PLACEHOLDER/root/children
    Does not return information about the specified users drive root children as expected.

  • graph.microsoft.com/v1.0/drives/DRIVE-ID-PLACEHOLDER/root/children
    Does not return information about the specified users drive root children as expected.

Other notes:

  • All these endpoints work as expected if I log in using a regular user account and the «/me» keyword or if I use a service account (with full administrative privileges) and UPNs to other user accounts, but in app-mode with UPNs all request for information on a deeper level than root (ie. root/children or specific folders) returns empy.
  • We’ve tried working with both the SDK abstraction and pure HTTP requests without success.
  • We’ve tried a lot of different app priviledge combinations and currently have ALL PERMISSIONS ON
Solution

  • The reason you can't do this is that we don't yet expose any app-only permissions to access OneDrive files. This is something we are working on and hope to expose very soon. Please stay tuned to our blog posts where we'll let folks know when this capability is added.

    Hope this helps,