Access Denied (403) When Downloading File via Microsoft Graph API Using Shared Link
I am trying to share a file from OneDrive using Microsoft Graph API and then allow another user to download it. However, when I attempt to download the file using the shared link, I receive a 403 Access Denied error.
User 1 creates a share link using:
POST https://graph.microsoft.com/v1.0/me/drive/items/{ItemId}/createLink
Authorization: Bearer {accessToken}
Content-Type: application/json
Request Body:
{
"type": "edit",
"scope": "anonymous"
}
Result:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.permission",
"id": "Id",
"roles": [
"write"
],
"shareId": "ShareID",
"hasPassword": false,
"link": {
"scope": "anonymous",
"type": "edit",
"webUrl": "ShareUrl",
"preventsDownload": false
}
}
now as user 2 was trying to download the link with
https://graph.microsoft.com/v1.0/shares/ShareID/driveItem/content
it returned
{
"error": {
"code": "accessDenied",
"message": "Access denied"
}
}
Troubleshooting done so far:
- Verified that the access token is valid and contains All permissions
- Confirmed that the file is accessible via the web browser when using
webUrlfrom thecreateLinkresponse - Tried creating the link with
"scope": "anonymous"and"scope": "organization"(both resulted in the same issue) - Encoded the share URL as per Microsoft documentation
- Used both delegated and application permissions, but the issue persists
Is there any permissions missing here I have given access to all Files.ReadWrite, Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All in my azure.Portal.
Is there any new API needed for this to work?
Also I tried with the organization as Scope as both user comes under the same organization.
Both users are Delegated Users.
Link For Downloading the shared File
Permissions needed in the download api
this is the permissions required in the download Api
now i will also include the Azure portal permisiion for my applications this has permisiions involving files
"error": { "code": "accessDenied", "message": "Access denied" }
This error message occurs because of User 2 is trying to download the file using /shares/{ShareID}/driveItem/content endpoint and you generated anonymous sharing link which allow access to anyone without needing to sign-in this may also include people outside of your organization also and which is meant for browser-based (webUrl) authentication not for API access.
NOTE: The Microsoft Graph API doesnot allow API based access to files which are shared via anonymous links.
Registered Single-Tenant Microsoft Entra ID Application, Added and granted delegated type Files.ReadWrite.All API permission:
Generated access token using authorization_code flow using below parameters:
Firstly, To get code, I ran below authorization request in browser:
https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize?
&client_id=<app_id>
&client_secret = <client_secret>
&redirect_uri= https://jwt.ms
&response_type=code
&response_mode=query
&scope=https://graph.microsoft.com/.default
POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
client_id=<app_id>
client_secret = <client_secret>
redirect_uri= https://jwt.ms
code=<code which generated from browser>
scope= https://graph.microsoft.com/.default
grant_type = authorization_code
Now, Created shared link:
POST https://graph.microsoft.com/v1.0/me/drive/items/{ItemId}/createLink
Authorization: Bearer {accessToken}
Content-Type: application/json
Body:JSON
{
"type": "edit",
"scope": "anonymous"
}
- To allow
User 2to download the file use directwebUrlmethod .
Share that generated webUrl with User 2 and ask to paste it on browser:
- Use below endpoint and share
@microsoft.graph.downloadUrl:
Authorization: Bearer {accessToken}
Content-Type: application/json
GET https://graph.microsoft.com/v1.0/shares/ShareID/driveItem
References: