Reputation: 3
Access Denied (403) When Downloading File via Microsoft Graph API Using Shared Link
I am trying to share a file from OneDrive using Microsoft Graph API and then allow another user to download it. However, when I attempt to download the file using the shared link, I receive a 403 Access Denied error.
User 1 creates a share link using:
POST https://graph.microsoft.com/v1.0/me/drive/items/{ItemId}/createLink
Authorization: Bearer {accessToken}
Content-Type: application/json
Request Body:
{
"type": "edit",
"scope": "anonymous"
}
Result:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.permission",
"id": "Id",
"roles": [
"write"
],
"shareId": "ShareID",
"hasPassword": false,
"link": {
"scope": "anonymous",
"type": "edit",
"webUrl": "ShareUrl",
"preventsDownload": false
}
}
now as user 2 was trying to download the link with
https://graph.microsoft.com/v1.0/shares/ShareID/driveItem/content
it returned
{
"error": {
"code": "accessDenied",
"message": "Access denied"
}
}
Troubleshooting done so far:
- Verified that the access token is valid and contains All permissions
- Confirmed that the file is accessible via the web browser when using
webUrlfrom thecreateLinkresponse - Tried creating the link with
"scope": "anonymous"and"scope": "organization"(both resulted in the same issue) - Encoded the share URL as per Microsoft documentation
- Used both delegated and application permissions, but the issue persists
Is there any permissions missing here I have given access to all Files.ReadWrite, Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All in my azure.Portal.
Is there any new API needed for this to work?
Also I tried with the organization as Scope as both user comes under the same organization.
Both users are Delegated Users.
Link For Downloading the shared File
Permissions needed in the download api
this is the permissions required in the download Api
now i will also include the Azure portal permisiion for my applications this has permisiions involving files
this has permisiions involoving sites
Upvotes: 0
Views: 159
Answers (2)
Reputation: 3
I found a solution, involving User 2 is Given permission fom User 1 to the File by
https://graph.microsoft.com/v1.0/me/drive/items/<itemid>/invite
Body:JSON
{
"recipients": [
{
"email": "Mail Of User 2"
}
],
"message": "Here's the file that we're collaborating on.",
"requireSignIn": true,
"sendInvitation": false,
"roles": [ "write" ]
}
With this, User2 can download the file at any time without worrying about expiration.
using
GET /shares/{shareIdOrEncodedSharingUrl}/driveItem/content
https://graph.microsoft.com/v1.0/shares/{shareid}/driveItem/content
this will download the file as user 2 was given permission to the file
Upvotes: 0
Reputation: 972
"error": { "code": "accessDenied", "message": "Access denied" }
This error message occurs because of User 2 is trying to download the file using /shares/{ShareID}/driveItem/content endpoint and you generated anonymous sharing link which allow access to anyone without needing to sign-in this may also include people outside of your organization also and which is meant for browser-based (webUrl) authentication not for API access.
NOTE: The Microsoft Graph API doesnot allow API based access to files which are shared via anonymous links.
Registered Single-Tenant Microsoft Entra ID Application, Added and granted delegated type Files.ReadWrite.All API permission:
Generated access token using authorization_code flow using below parameters:
Firstly, To get code, I ran below authorization request in browser:
https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize?
&client_id=<app_id>
&client_secret = <client_secret>
&redirect_uri= https://jwt.ms
&response_type=code
&response_mode=query
&scope=https://graph.microsoft.com/.default
POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
client_id=<app_id>
client_secret = <client_secret>
redirect_uri= https://jwt.ms
code=<code which generated from browser>
scope= https://graph.microsoft.com/.default
grant_type = authorization_code
Now, Created shared link:
POST https://graph.microsoft.com/v1.0/me/drive/items/{ItemId}/createLink
Authorization: Bearer {accessToken}
Content-Type: application/json
Body:JSON
{
"type": "edit",
"scope": "anonymous"
}
- To allow
User 2to download the file use directwebUrlmethod .
Share that generated webUrl with User 2 and ask to paste it on browser:
- Use below endpoint and share
@microsoft.graph.downloadUrl:
Authorization: Bearer {accessToken}
Content-Type: application/json
GET https://graph.microsoft.com/v1.0/shares/ShareID/driveItem
References:
Upvotes: 0
Related Questions
- Graph Copy file operation giving access denied error for app registration
- graph api Access denied
- How can I get the thumbnail of a SitePage from SharePoint using the Microsoft Graph Api and App Access Permissions?
- Access shared mailbox via Microsoft Graph - "Access denied"
- Unable to get worksheet list of shared workbook in Microsoft Graph API
- Using Microsoft Graph API to upload file to onedrive in MVC Application, Error with permissions
- Receiving "Access Denied" when attempting to read group files
- Generated token is not able to access Graph APi to read shared mailbox messages
- Microsoft Graph API - List Contacts for user users does not work?
- Microsoft Graph api 403 access denied when reading other users