Tenant does not have a SPO license

Question

I have an error while trying to use Microsoft Graph to write a script to upload an Excel file to OneDrive then read the Excel file.

I followed Microsoft documentation to obtain the access token without user. I successfully got an access token but I got an error while using the access token to call the OneDrive API.

Here is the response:

{
    "error": {
        "code": "BadRequest",
        "message": "Tenant does not have a SPO license.",
        "innerError": {
            "request-id": "5ec31d17-3aea-469f-9078-de3608f11d0d",
            "date": "2017-10-10T04:34:05"
        }
    }
}

I don't understand why I need to have SPO license while calling graph API and how to get it. Because of this error message so I'm trying to buy a SPO license.

According to this document, I think I should see many products in the license pages but while logging in with Azure Portal and go to the License page, I see only 2 products: Azure AD Premium and Enterprise Mobility Suite:

Answer 1

I used the python-o365 library to access OneDrive on a personal plan (https://github.com/O365/python-o365).

Since this uses MS Graph on the backend, it must also be possible with requests to their REST API.

I followed the default 'authorisation code grant flow' described in the 'Authentication' section of their documentation.

from O365 import Account, MSGraphProtocol

app_id = 'redacted'
secret = 'redacted'

credentials = (app_id, secret)

protocol = MSGraphProtocol()
scopes_graph = protocol.get_scopes_for('onedrive_all')

# Follow the URL, login, and paste back new URL into the console
account = Account(credentials, scopes = scopes_graph)

# Now free to interact with storage
storage = account.storage()
drive = storage.get_default_drive()
root = drive.get_root_folder()
items = drive.get_items()

A few gotchas that weren't explained in the documentation:

• In my Azure 'App registration' I had to allow both 'access tokens' and 'id tokens' to be issued by the endpoint
• I had to check 'Allow public client flows'

Answer 2

In case anyone else has a similar issue, I got the same error message when using a personal Microsoft account, just like OP.

So, if you are using a personal account in a registered Azure Active Directory(AAD) app, that type isn't Personal Microsoft accounts only or Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox) you will get this error. Also, you need to use the correct endpoint to avoid errors.

The main problem is our account type. As a personal account, there are some restrictions to access one drive files. These restrictions are:

1. You can only use Oauth2 Code Flow or Oauth2 Token Flow. Both are interactive approaches. [1][2]
2. Your application registered in AAD needs to be Personal Microsoft accounts only or Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) and each one have a different endpoint to acquire the access token (That you can see clicking on endpoint button, near the delete app button in app page). [3]
3. Enable these delegated permissions to your application registered in AAD: Files.Read, Files.Read.All, Files.ReadWrite, and Files.ReadWrite.All.

With these restrictions in mind, you can set up a workflow in Postman following these two steps(I'm using endpoints of Personal Microsoft accounts only app type and using Oauth2 Code Flow):

Important note: To use code flow, you need to enable Access tokens in Implicit grant and hybrid flows on Authentication ADD app sidebar menu.

1. Aquire access token:

https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=YOUR_CLIENT_ID&response_type=token&redirect_uri=ONE_OF_REGISTERED_REDIRECT_URI&scope=Files.Read Files.Read.All Files.ReadWrite Files.ReadWrite.All

After you fill in your information on Postman's request, I recommend using a browser and network inspection to log in with a Microsoft account and permit the app. You are getting the access token via network inspection.

2. List one drive root files:

https://graph.microsoft.com/v1.0/me/drive/root/children
Add a new header:
Authorization
With value:
Bearer ACCESS_TOKE_OF_STEP_1

In my angular application, due to this interactive way restriction to access one drive files, I changed my authentication method to use Microsoft Authentication Library(MSAL) to avoid every time that need to send an API request open a popup window to authenticate a valid Microsoft account.

Answer 3

For anyone like me who just tries out MS GRAPH SDK for .Net and encounters this error while trying to access their personal drive.

First, make sure you select Personal Microsoft accounts only when registering your application.

Second, TenantId should be set to consumers. For an example:

    var deviceCodeCredentialOptions = new DeviceCodeCredentialOptions()
    {
        ClientId = ApplicationClientId,
        TenantId = "consumers",
        DeviceCodeCallback = (info, cancle) =>
        {
            // Display the device code message to
            // the user. This tells them
            // where to go to sign in and provides the
            // code to use.
            Console.WriteLine(info.Message);
            return Task.FromResult(0);
        },
        TokenCachePersistenceOptions = new TokenCachePersistenceOptions() {Name = TokenName}
    };

Also, make sure your scopes have appropriate permissions such as Files.ReadWrite.

After that, you should be able to access your drive without problems.

Answer 4

To add to Kikutos' answer answer, you can use this Azure sample to acquire the token via MSAL.NET.
The only thing you need to change is the Instance property, which needs to be set to:

https://login.microsoftonline.com/consumers/

Answer 5

In case anyone else has a similar issue, I was getting the same error message when using an Office 365 Home license. It turns out SPO stands for SharePoint Online, and you need an Office 365 Business account to have it. So as far as I can tell, you can't use the Microsoft Graph API to access OneDrive without having SharePoint (which only comes with the business licenses). This isn't really made clear anywhere that I could find.

Answer 6

Answering a couple of things here.

Background: Microsoft Graph is the developer gateway or API to many Microsoft cloud services, like Office 365, Azure Active Directory, EMS (Enterprise Mobility Suite), personal Outlook, personal OneDrive and more. Use of the API is free, but to access the data behind it, you need to actually have those services - in some cases they may be free and in other cases you may need to pay for them.

As for adding Office 365 to your existing tenant. I believe you've signed up for Azure using a Microsoft Account. This means that you already have an Azure Active Directory tenant. You can still purchase/acquire Office 365 for that tenant. All you need to do is create a new Azure AD user (not a Microsoft Account) in your tenant, and make them a company admin. Then you should be able to sign-up for Office 365 - if it asks if you already have a tenant or account, sign in with the AAD account you just created. And voila, you should have an Azure AD tenant with a subscription to Azure AND now a subscription to Office 365.

Hope this helps,

Answer 7

Both OneDrive for Business and the Excel APIs require Office 365. Based on your screenshot, this looks like a standalone Azure Active Directory tenant (i.e. not linked to O365).

The reason for the SPO License message is that OneDrive for Business is a special SharePoint Online document library that is automatically provisioned for users.

Answer 8

1. Are you able to access the OneDrive contents (including the Excel file) manually through browser after logging in with your account in the same tenant?

2. If you are able to access the drive and file manually, please use Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer to sign in using the same account and make the call to get the Drive contents. When you’re signing-in, you would be presented with a consent page listing the permissions needed to be granted. Please make a note of those permissions and check whether the permission match to those required for accessing the drive.

3. If you do not have appropriate SPO license yet, you can try setting up a free Office-365 trial account (https://products.office.com/en-in/business/office-365-enterprise-e3-business-software) and test the APIs.