Microsoft Graph API, how to read write Groups File Share as Guest Account from another domain?

Question

I have two domains and one account under each domain, "user1@aaa.com" and "user2@bbb.com".

• user1@aaa.com create a Office365 Group "SharedGroup",
• user2@bbb.com is invited to the "SharedGroup" across domain as Guest User,
• user2@bbb.com receives the email that it has joined the "SharedGroup" and is able to access any of the shared file in the group via Sharepoint WebUI https://aaa.sharepoint.com/sites/...,

As user1@aaa.com, Microsoft Graph API can read/write files under "SharedGroup" just as API doc says.

However, as user2@bbb.com, API accessing "SharedGroup" using following API

https://graph.microsoft.com/v1.0/groups/<group id>/drive/root/children

(I got the Group ID by login as user1@aaa.com)

returns unauthenticated error, with the URI correctly returned,

{
    "error": {
        "code": "unauthenticated",
        "message": "Invalid audience Uri 'https://aaa.sharepoint.com/'.",
        "innerError": {
            "request-id": "5f1c1e32-fce1-4bb8-986a-92067cdd32d9",
            "date": "2018-10-29T22:47:13"
        }
    }
}

How do I read/write shared files from Groups as Guest Account from another domain using Graph API? or any API?

Answer 1

Can you include your authentication code? I'd guess you're authenticating against the /common endpoint instead of a tenanted endpoint, but guests need to be authenticated against the tenanted endpoint in order to access resources in the tenant they've been invited to.