Reputation: 87
Accessing OneDrive doc of Personal Account or Only one user in Business account via API
I am able to access OneDrive items of all the users in Office 365 business account using a free trial created from this link.
However, in order to make it work I needed to give my application below permission, which eventually allows this app to access OneDrive items of all the users in this tenant because of these permissions.
File.Read.All -> Delegate
File.Read.All -> Application
User.Read -> Delegate
User.Read.All -> Delegate
Site.Read.All -> Delegate
Now, my requirement is to access OneDrive document of only one users from this tenant and block the application from accessing documents from other users, or access document of any personal account (@hotmail.com/@live.com).
Please let me know if there is any way or in case I am doing anything wrong with the application I registered.
Asked the same question here but bot told to ask to azure team in stackoverflow https://github.com/OneDrive/onedrive-api-docs/issues/1219
Appreciate any help.
Upvotes: 0
Views: 181
Answers (1)
Reputation: 16458
Firstly, you need to understand the differences between Application permission and Delegate permission.
Application permission means App-only, the application acts as a user but there is no user sign in.
Delegate permission means App + User, a user will need to log into the application and access the resources.
So based on the permissions you have provided, I can't tell if your application requires a user to log in. If yes, Delegate permissions will take effect. Based on Delegated permissions, Files.Read.All allows the app to read all files the signed-in user can access. If the signed in user can access others' document, then your app can access them too. So if you control the access permissions for the user in OneDrive or SharePoint, your app with this signed in user will have the same permissions.
If your app doesn't require a signed in user, Application permissions will take effect in this case. Based on Application permissions, Files.Read.All allows the app to read all files in all site collections without a signed in user. So this scenario does not meet your needs.
Upvotes: 1
Related Questions
- OneDrive API and Azure Active Directory setup to upload as personal account
- How to authenticate to personal OneDrive with Graph REST API
- Access personal accounts Onedrive with Azure AD Multi tenant
- Microsoft Graph. Access OneDrive with application own identity
- Access AD users OneDrive for Businesses through Microsoft Graph in app-mode
- OneDrive - how to access files of users in my Business account using the Rest API?
- Accessing OneDrive and OneDrive business files of customers
- Administrative access to user's file via OneDrive for business API
- Which permissions are required to be set in azure active directory, to access a user's onedrive business account?
- How do I use the new Office 365 API to access users' onedrive