How can my registered app get Microsoft Graph access for SharePoint file of a different organization?
In Microsoft Azure (portal.azure.com), I created my own developer tenant and registered an application. It can authenticate using its client ID and secret, all fine. I also configured it to allow public client flows and accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).
Now I want this application to be able to write data to an Excel file in the SharePoint of another organization. So somehow they have to grant my application access to that file. The question is: How?
I tried sending them to https://login.microsoftonline.com/common/adminconsent?client_id=<my-client-id>, but that leads to a "Application with identifier <my-client-id> was not found in directory '<other-organization-domain>'. So that was obviously not what I need to do.
Is there an easy way for them to share their file with my app?
(I would like to avoid them having to register an app in their Azure tenant, if possible. And I have lost my ways in the Microsoft Azure and Graph API documentation - no idea what actually applies to me...)
I agree with @Ctznkane525, to access SharePoint file of another tenant, you have register application in another tenant and grant the application with right API permissions.
- There is no way to skip the step to register application in another tenant or else you will get errors.
- This is because Microsoft Graph access to resources like SharePoint is governed by the consent of the organization that owns the data.
Hence, to grant your app Microsoft Graph access to a SharePoint file from a different organization check the below:
Create a Microsoft Entra ID Multi-Tenant application TenantA and grant Sites.Selected and Files.ReadWrite.All API permission:
Create a Service Principal and grant admin consent in TenantB:
New-AzADServicePrincipal -ApplicationId <AppIDOfTenantAApp>
Now grant admin consent either by the URL or directly from the portal in TenantB:
https://login.microsoftonline.com/organizations/adminconsent?client_id=6f2e0909-e880-45ab-8aa9-c76ce86fc05e
In the Enterprise application of TenantB, you can see the application:
Set up an app-only principal with tenant permissions you can also make use of Microsoft Graph API:
Go to https://TenantBDomain.sharepoint.com/sites/SiteName/_layouts/15/appinv.aspx and log in with the TenantB user credentials. Enter the TenantA App ID and grant access by using the provided XML request:
Then Click on create and Trust it.
Generate the access token to access SharePoint:
https://login.microsoftonline.com/TenantBTenantID/oauth2/v2.0/token
client_id:TenantAAppID
client_secret:TenantAClientSecret
scope↵:https://graph.microsoft.com/.default
grant_type:client_credentials
I can successfully access the TenantB SharePoint site through the Microsoft Entra ID application associated with TenantA:
Also, you can modify excel file of another tenant SharePoint site as the token will contain Files.ReadWrite.All API permission and refer this blog by Mihai Albert.
Reference: