Share central folder in Onedrive with MS Azure API application

Question

Issue: Cannot create or access a central storage container within OneDrive using App

Requirement: Create a central storage directory that is accessible for users within the Microsoft organistation and the MS App (Azure) using Application Permissions.

Current Status:

• Azure App created using 'Application Permissions' (not delegated) , Admin consent granted to files and sites (tenantId, clientId, clientSecret)
• Can create an access token and reference endpoints (/drives)
• Can list /drives which retrieves some sharepoint resource...? (see below)

Env: PHP using custom Guzzle HTTP to get accesstoken (working OK) and https://github.com/microsoftgraph/msgraph-sdk-php (working OK I guess as at least 1 endpoint works with a valid access token). Connecting using info from https://learn.microsoft.com/en-gb/azure/active-directory/develop/scenario-daemon-overview This is a web based app required to create directories and access documents created within those directories.

Question Is it possible to create a central storage bucket and provide shared access to all members of an organisation including the API 'service' account..? Then be able to create/move/delete directories/files via the App using NON delegated permissions?

My response from /drives endpoint is

Microsoft\Graph\Model\Drive Object
(
    [_propDict:protected] => Array
        (
            [createdDateTime] => 2021-05-01T13:20:28Z
            [description] => 
            [id] => b!gzrFQgVRmE ------------ 3NPqmqTkvD-BYJEg6xnjlDISrtovCEB9JfD
            [lastModifiedDateTime] => 2021-05-01T13:20:28Z
            [name] => Documents
            [webUrl] => https://<MS-Username>.sharepoint.com/Shared%20Documents
            [driveType] => documentLibrary
            [createdBy] => Array
                (
                    [user] => Array
                        (
                            [displayName] => System Account
                        )

                )

            [owner] => Array
                (
                    [group] => Array
                        (
                            [id] => 07c680da-b6b-----cd9e7acf2ea2
                            [displayName] => 07c680da----- d9e7acf2ea2
                        )

                )

            [quota] => Array
                (
                    [deleted] => 0
                    [remaining] => xxx
                    [state] => normal
                    [total] => xxx
                    [used] => xxx
                )

        )

)

So far I can get access tokens and list the above resource but it's pretty much all I can do.

• I cannot seem to access /me/drive/{ID} since /me/* is for delegated permissions only (as far I can can see)
• I cannot seem to use /drive/{ID} since OneDrive hides the ID pretty well. (from a new directory created in OneDrive Root)
• I've tried creating a 'Shared Library' (left in OneDrive web portal) within OneDrive (this is not visible when using /drives API endpoint)

So, in summary: Is there a way to create a centralised directory shared with users across an organisation and an App (Azure portal registered app)? Or at least specify and directory by ID... to set at the base/app_root for sharing. --- I know Google has something similar as a service account where you can just 'assign' the service account permissions to a directory in GoogleDrive in the organisation and off you go....

*** UPDATE ***

• Some further info - OneDrive != OneDrive for Business
• Sharepoint appears to be where shared company files 'want' to live

NOTE: MS provides a default shared directory which is visible when calling /v1.0/drives (Graph endpoint) as the App 'client_credentials' user. This is a sharepoint resource and usually referenced by .sharepoint.com/Shared%20Documents and is of type 'docuemntLibrary'.

So, I will be trying to use this as a central storage point. NOTE: going down the path of /sites//root/children does list DriveItems as per this post Microsoft GraphAPI and Sharepoint : List shared files but I cannot figure about how to create/upload/download using the 'sites' endpoints API...

Also note that: the assumption is that the 'shared default directory' will need to be 'mapped' to sit in the root of each organisational users OneDrive root dir. How this will be done automatically,.... ?

TBA as I read/test further.

Current proposed setup: Register App as 'Application Permissions' with client_credentials grant. Connect to API using https://github.com/microsoftgraph/msgraph-sdk-php, and FIND THE ID of the default shared directory. Use this as the base to create new directories and files (central storage repository). Hopefully OneDrive will behave and allow mapping to this shared location into each users root dir....

UPDATE #2: So, using the DefaultSite (CommunicationSite) accessible via /drives/...../root/children endpoint and trying to upload a file I receive the response Endpoint: /drives/b..............JfD/root/children/{{FILENAME}}/content method ->upload({{localURI}});

object(Microsoft\Graph\Http\GraphResponse)
["seekable":"GuzzleHttp\Psr7\Stream":private]=> bool(true) 
["readable":"GuzzleHttp\Psr7\Stream":private]=> bool(true) 
["writable":"GuzzleHttp\Psr7\Stream":private]=> bool(false) 

So, permissions.... But I have all files and sites ... (See image)

Answer 1

Background: https://learn.microsoft.com/en-us/graph/onedrive-concept-overview Files in Microsoft 365 are stored in drives. Users can store files in a personal drive - their OneDrive - or in a shared drive powered by a SharePoint document library.

Terminology: as far as I understand

Site = Entity/Container within Sharepoint
List = Elements/Entity/Container within a site
Item = Elements within a list

Assumptions: Single tenant (i.e. your organisation) app You've setup a new Sharepoint 'site' and within that setup a a new 'list'.

Requirements: Azure App setup as single tenant, Credentials for Application (Service based) Api (as opposed to delegated) API permissions for Files and Sites for MS Graph (I added Sharepoint as well)

Authorisations Application - Use client secret to get an access token Delegated - Use token with offline scope for refresh behaviour.

Once you have a valid token then (AS APPLICATION NOT DELEGATED )

1. https://graph.microsoft.com/v1.0/**sites** This will give you a list of sites. Find the site you want and find it's ID. It will be in the format

   <hostname.sharepoint.com>, collectionId, siteId

Use this to isolate the Site you want to use

2. https://graph.microsoft.com/v1.0/sites/**yourhostname.sharepoint.com,xxxxxxxxxxxx-xxxxxxx-xxxxx-xxxxx,yyyyyy-yyyyy-yyyyyyy**/lists

This will enumerate the 'lists' within the site (e.g. Documents, Your custom Document directory) Find the list that you want to use and it's associated id in the JSON dataset

3. https://graph.microsoft.com/v1.0/sites/yourhostname.sharepoint.com,xxxxxx,yyyyyyy/lists/**listID**/drive/root/children

This will enumerate all the items in that particular directory. (which is referred to as 'drive' in MS Graph speak)

Findings: Using delegated method for /sites endpoint only enumerated the 'Shared Documents' under the default communication site and I could not list all the 'sites' that were visible to the 'Application' method token. BUT using the specific URL/endpoint in #3 above I could enumerate the directory contents using both Application and Delegated API tokens.