Share via

How to access shared folder from external tenant with GRAPH API and OneDrive for Business ?

Charles Edouard 0 Reputation points
2024-08-08T16:15:57.87+00:00

Hi,

I was accessing external shared folders trought GRAPH API (OneDrive).

Since a few weeks, I have been receiving HTTP 403 "AccessDenied" when I try to access the same shared folder with the same GRAPH requests.

Details :

Alice in a tenant A shares a folder "Alice_Folder" to Bob in a tenant B. The shared folder is stored in OneDrive for Business.

Bob tries to access "Alice_Folder" through GRAPH API.

Technical steps (trough Graph Explorer) :

Alice performes an authentication in his tenant,

  • Alice accesses the driveId, ItemId, shareId and webUrl of "Alice_Folder" with the following endpoint : 
      https://graph.microsoft.com/v1.0/drives/{driveId}/items/{Alice_Folder_ItemId}
     (+/permissions for shareId)
  • Bob performes an authentication in Alice tenant (logical, since Bob tries to access folder in Alice's tenant),
  • Bob try to access the shared folder through the following requests : 
      https://graph.microsoft.com/v1.0/{alice_drive_id}/items/{Alice_Folder_Item}
  https://graph.microsoft.com/v1.0/shares/shareId
  https://graph.microsoft.com/v1.0/shares/encodedShareUrl
    documentation MS : 
      https://learn.microsoft.com/en-us/graph/api/shares-get?view=graph-rest-1.0&tabs=http"learn.microsoft.com"

With the three endpoints, the error returned is "403 - forbidden (accessdenied)".

Analysis that have been performed :

  • Bob can access the folder in Alice's tenant through Chrome/Edge/Firefox,
  • Bob is a user "invited" in Alice tenant : it can be seen as an "invited" user, listing all users in Alice's tenant,
  • GRAPH permissions seems OK (too much actually) (read from jwt.ms site) : Directory.ReadWrite.All ExternalItem.ReadWrite.All Files.Read Files.Read.All Files.ReadWrite Files.ReadWrite.All Group.Read.All Group.ReadWrite.All openid profile Sites.Read.All Sites.ReadWrite.All TeamsTab.ReadWrite.All User.Read email,

Thanks for your ideas,

Regards,

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,434 questions
OneDrive
OneDrive
A Microsoft file hosting and synchronization service.
1,175 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yakun Huang-MSFT 7,045 Reputation points Microsoft Vendor
    2024-08-09T02:46:53.9833333+00:00

    Hi @Charles Edouard

    You can use this request to get to the shared folder, it is important to note that you are accessing the shared folder of an external tenant, so, the allowexternal=true parameter is mandatory.

    GET https://graph.microsoft.com/v1.0/me/drive/sharedWithMe?allowexternal=true

    See this document for details:

    https://learn.microsoft.com/en-us/graph/api/drive-sharedwithme?view=graph-rest-1.0&tabs=http

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments
  2. Charles Edouard 0 Reputation points
    2024-08-09T07:53:42.4166667+00:00

    Hi @Yakun Huang-MSFT ,

    Thank you for your answer !

    Yes, I am aware of that endpoint. However, the same data is returned with the endpoint 

    GET https://graph.microsoft.com/v1.0/drives/{driveId}/items/{Alice_Folder_ItemId}

    and 

    GET https://graph.microsoft.com/v1.0/me/drive/sharedWithMe?allowexternal=true

    => Only the tenant you are connected to, mathers in this case (Alice's tenant with the first endpoint, Bob's tenant with the second endpoint).

    Maybe a question of permissions ? Maybe new parameters in MS tenant ?

    I am stuck here !

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.