Azure Application Unable to access Shared Folder

Question

Guys I am at my wits end! I am trying to access a shared folder by am getting the error:

Fatal error: Uncaught GuzzleHttp\Exception\ClientException: Client error: 
`GET https://graph.microsoft.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2Yvcy
FBdHVBTV9OYWN3VmFoaUZwdU1HU19CaVFDd1d1/root?expand=children` resulted in a 
`403 Forbidden` response: 

{"error":{"code":"accessDenied","message":"The 
    sharing link no longer exists, or you do not have permission to access 
    it."

,"innerError":{"date":"2023-10-11T05:01:49","request-id":"27bd1fc1-
74f8-4d8d-9a43-41a3aa6a9f02","client-request-id":"27bd1fc1-74f8-4d8d-9a43
-41a3aa6a9f02"}}}

The share is taken from this StackOverflow Question which if you click on the link is very shareable and can be access via a browser, and so does exist, so the is no question of lack of access, just that my application is for some reason being denied.

Normally this would be associated with not have the correct permissions, but the token shows that the permissions are part of the access token here:

      "appid": "563e2470-8b86-48dc-9050-20228336584e",
  "appidacr": "1",
  "idp": "https://sts.windows.net/74162350-5947-4628-892f-4ee1d28d88cc/",
  "idtyp": "app",
  "oid": "d9b6b299-ddc2-4708-ac87-2a48beb896f4",
  "rh": "0.AUIAUCMWdEdZKEaJL07h0o2IzAMAAAAAAAAAwAAAAAAAAACkAAA.",
  "roles": [
    "Application.ReadWrite.All",
    "Sites.Read.All",
    "Application.Read.All"
  ],
  "sub": "d9b6b299-ddc2-4708-ac87-2a48beb896f4",
  "tenant_region_scope": "OC",
  "tid": "74162350-5947-4628-892f-4ee1d28d88cc",
  "uti": "rJQ_ra77J0ux9XBeCvMIAA",
  "ver": "1.0",
  "wids": [
    "0997a1d0-0d1d-4acb-b408-d5ca73121e90"
  ],

And the code segment to access the share is (fails at ->execute):

$guzzle = new \GuzzleHttp\Client();
$url = 'https://login.microsoftonline.com/' . $tenantId . '/oauth2/v2.0/token';
/*
* If the client requests scope=https://graph.microsoft.com/.default, no consent prompt is shown, regardless of the contents of the client application's registered permissions for Microsoft Graph. The returned token contains the scopes Mail.Read and User.Read.
*/
$token = json_decode($guzzle->post($url, [
    'form_params' => [
    'client_id' => $clientId,
    'scope' => 'https://graph.microsoft.com/.default',
    'grant_type' => 'client_credentials',
    'client_secret' => $clientSecret,
    ],
])->getBody()->getContents());
$accessToken = $token->access_token;

$graph = new Graph();
$graph->setAccessToken($accessToken);
$user = $graph->createRequest("GET", "/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2YvcyFBdHVBTV9OYWN3VmFoaUZwdU1HU19CaVFDd1d1/root?expand=children")
       ->setReturnType(Microsoft\Graph\Model\DriveItem::class)
       ->execute();

Answer 1

It appears that this is a long known problem (Permission Denied when using Graph API service to call Sharepoint with an Azure AD Guest account (image below) and there is no way around the problem without the user consenting to the application's request for permissions. I have solved the problem by forcing the user to login and to approve the Azure Application, the first time he accesses the page. Once this is done, then you can use the Refresh Token to acquire the necessary Access Token to access the user files, without needing to obtain user consent again.