Reputation: 57686
How to authenticate to personal OneDrive with Graph REST API
I'm trying to write an R package to let users access the files in their OneDrive folders from R. The API is Microsoft Graph.
Everything is working fine with OneDrive for Business (which is basically SharePoint under the hood, as I understand it). However, I can't get it to work with personal OneDrive.
Custom app registration, consumers authorization endpoint
When I use an app registration under my own AAD tenant, I get the following error from the consumers AAD authorization endpoint:
AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'Consumers' and cannot access the application 'd44a05d5-c6a5-4bbb-82d2-443123722380'(AzureRtest_cli) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Custom app registration, 9188040d-6c67-4c5b-b112-36a304b66dad endpoint
From this page it appears that the token should be for the tenant 9188040d-6c67-4c5b-b112-36a304b66dad instead of the generic consumers. When I tried that, I obtained a seemingly valid token. However, talking to the https://api.onedrive.com/v1.0/drive endpoint results in a cryptic 401 error.
Azure CLI app registration, consumers endpoint
As a hack, I tried piggybacking off the Azure CLI's app registration. This fails with
AADSTS65002: Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization. Visit https://identitydocs.azurewebsites.net/static/aad/preauthorization.html for details
Azure CLI app registration, 9188040d-6c67-4c5b-b112-36a304b66dad endpoint
Finally, I tried using the CLI app registration with this tenant, which also failed:
unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
What are the exact steps I need to do to get to my personal OneDrive?
Upvotes: 2
Views: 2419
Answers (1)
Reputation: 57686
It turns out I had a bug in my code: I was using the tenant consumers.onmicrosoft.com instead of consumers. The process to communicate with Graph for personal OneDrive that worked for me was:
- Use the authorization code flow as described here, with the following specs:
- tenant:
consumers - client id: for my custom app registration
- scope:
https://graph.microsoft.com/{scope} offline_access openidwhere the scope is one of those listed here
- tenant:
- Use the API endpoint
https://graph.microsoft.com/v1.0.
With regard to that last point, note that the documentation here is incorrect or at least outdated, as it still gives https://api.onedrive.com/v1.0 as the endpoint for personal OneDrive requests.
Upvotes: 1
Related Questions
- OneDrive API and Azure Active Directory setup to upload as personal account
- Interact with OneDrive through Microsoft Graph API using Access Token
- OneDrive Personal Daemon Api Access
- Access personal accounts Onedrive with Azure AD Multi tenant
- Microsoft Graph. Access OneDrive with application own identity
- Access AD users OneDrive for Businesses through Microsoft Graph in app-mode
- Accessing onedrive with previously generated token
- One Drive REST API - Current authenticated context is not valid for this request
- How to make REST call to MS Graph/OneDrive method with OAuth2
- Save documents on OneDrive using Microsoft Graph API and MSAL auth