I am trying to share a file from OneDrive using Microsoft Graph API and then allow another user to download it. However, when I attempt to download the file using the shared link, I receive a 403 Access Denied error.
User 1 creates a share link using:
POST .0/me/drive/items/{ItemId}/createLink
Authorization: Bearer {accessToken}
Content-Type: application/json
Request Body:
{
"type": "edit",
"scope": "anonymous"
}
Result:
{
"@odata.context": ".0/$metadata#microsoft.graph.permission",
"id": "Id",
"roles": [
"write"
],
"shareId": "ShareID",
"hasPassword": false,
"link": {
"scope": "anonymous",
"type": "edit",
"webUrl": "ShareUrl",
"preventsDownload": false
}
}
now as user 2 was trying to download the link with
.0/shares/ShareID/driveItem/content
it returned
{
"error": {
"code": "accessDenied",
"message": "Access denied"
}
}
Troubleshooting done so far:
- Verified that the access token is valid and contains All permissions
- Confirmed that the file is accessible via the web browser when using
webUrlfrom thecreateLinkresponse - Tried creating the link with
"scope": "anonymous"and"scope": "anization"(both resulted in the same issue) - Encoded the share URL as per Microsoft documentation
- Used both delegated and application permissions, but the issue persists
Is there any permissions missing here I have given access to all Files.ReadWrite, Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All in my azure.Portal.
Is there any new API needed for this to work?
Also I tried with the anization as Scope as both user comes under the same anization.
Both users are Delegated Users.
Link For Downloading the shared File
Permissions needed in the download api
this is the permissions required in the download Api
now i will also include the Azure portal permisiion for my applications this has permisiions involving files
this has permisiions involoving sites
I am trying to share a file from OneDrive using Microsoft Graph API and then allow another user to download it. However, when I attempt to download the file using the shared link, I receive a 403 Access Denied error.
User 1 creates a share link using:
POST https://graph.microsoft/v1.0/me/drive/items/{ItemId}/createLink
Authorization: Bearer {accessToken}
Content-Type: application/json
Request Body:
{
"type": "edit",
"scope": "anonymous"
}
Result:
{
"@odata.context": "https://graph.microsoft/v1.0/$metadata#microsoft.graph.permission",
"id": "Id",
"roles": [
"write"
],
"shareId": "ShareID",
"hasPassword": false,
"link": {
"scope": "anonymous",
"type": "edit",
"webUrl": "ShareUrl",
"preventsDownload": false
}
}
now as user 2 was trying to download the link with
https://graph.microsoft/v1.0/shares/ShareID/driveItem/content
it returned
{
"error": {
"code": "accessDenied",
"message": "Access denied"
}
}
Troubleshooting done so far:
- Verified that the access token is valid and contains All permissions
- Confirmed that the file is accessible via the web browser when using
webUrlfrom thecreateLinkresponse - Tried creating the link with
"scope": "anonymous"and"scope": "anization"(both resulted in the same issue) - Encoded the share URL as per Microsoft documentation
- Used both delegated and application permissions, but the issue persists
Is there any permissions missing here I have given access to all Files.ReadWrite, Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All in my azure.Portal.
Is there any new API needed for this to work?
Also I tried with the anization as Scope as both user comes under the same anization.
Both users are Delegated Users.
Link For Downloading the shared File
Permissions needed in the download api
this is the permissions required in the download Api
now i will also include the Azure portal permisiion for my applications this has permisiions involving files
this has permisiions involoving sites
Share Improve this question edited Feb 3 at 6:29 Anzil asked Jan 31 at 5:01 AnzilAnzil 32 bronze badges 11- Could you pls share the screenshot of your API permission blade and edit the question? – Pratik Jadhav Commented Jan 31 at 5:13
- I have updated the question with the required permissions ,I am new to this Graph api concept and this is my first question as well . – Anzil Commented Feb 3 at 6:32
- Could you pls confirm which license does User-2 had means Office 365 E3 license or Office 365 E5 license? – Pratik Jadhav Commented Feb 3 at 7:08
- i contacted My admin and found out that the User2 has M365 business basic license – Anzil Commented Feb 4 at 5:17
- 1 The approach mentioned above is working; I tested it with Postman. Now, I'll check its compatibility with my enterprise software. – Anzil Commented Feb 6 at 9:50
2 Answers
Reset to default 0"error": { "code": "accessDenied", "message": "Access denied" }
This error message occurs because of User 2 is trying to download the file using /shares/{ShareID}/driveItem/content endpoint and you generated anonymous sharing link which allow access to anyone without needing to sign-in this may also include people outside of your anization also and which is meant for browser-based (webUrl) authentication not for API access.
NOTE: The Microsoft Graph API doesnot allow API based access to files which are shared via anonymous links.
Registered Single-Tenant Microsoft Entra ID Application, Added and granted delegated type Files.ReadWrite.All API permission:
Generated access token using authorization_code flow using below parameters:
Firstly, To get code, I ran below authorization request in browser:
https://login.microsoftonline/<tenant_id>/oauth2/v2.0/authorize?
&client_id=<app_id>
&client_secret = <client_secret>
&redirect_uri= https://jwt.ms
&response_type=code
&response_mode=query
&scope=https://graph.microsoft/.default
POST https://login.microsoftonline/<tenant_id>/oauth2/v2.0/token
client_id=<app_id>
client_secret = <client_secret>
redirect_uri= https://jwt.ms
code=<code which generated from browser>
scope= https://graph.microsoft/.default
grant_type = authorization_code
Now, Created shared link:
POST https://graph.microsoft/v1.0/me/drive/items/{ItemId}/createLink
Authorization: Bearer {accessToken}
Content-Type: application/json
Body:JSON
{
"type": "edit",
"scope": "anonymous"
}
- To allow
User 2to download the file use directwebUrlmethod .
Share that generated webUrl with User 2 and ask to paste it on browser:
- Use below endpoint and share
@microsoft.graph.downloadUrl:
Authorization: Bearer {accessToken}
Content-Type: application/json
GET https://graph.microsoft/v1.0/shares/ShareID/driveItem
References:
sharingLink Resource
download DriveItem Content
I found a solution, involving User 2 is Given permission fom User 1 to the File by
Invite
https://graph.microsoft/v1.0/me/drive/items/<itemid>/invite
Body:JSON
{
"recipients": [
{
"email": "Mail Of User 2"
}
],
"message": "Here's the file that we're collaborating on.",
"requireSignIn": true,
"sendInvitation": false,
"roles": [ "write" ]
}
With this, User2 can download the file at any time without worrying about expiration.
using
GET /shares/{shareIdOrEncodedSharingUrl}/driveItem/content
https://graph.microsoft/v1.0/shares/{shareid}/driveItem/content
this will download the file as user 2 was given permission to the file