Invalid Request inviting an API application using the graph API

Rush, Jason 20 Reputation points
2024-07-09T23:29:53.6066667+00:00

Hi,

I have one API application using OAuth for delegated permissions, and a second API application that uses client credentials. Using the OAuth application, I am trying to allow a user to authorize the client credentials application to read a particular folder or folders in SharePoint. But I'm getting an invalidRequest error in response. Here's the request I'm sending:

Endpoint:

https://graph.microsoft.com/v1.0/drives/<drive-id>/items/<folder-id>/invite

Body:

{
  "requireSignIn": true,
  "sendInvitation": false,
  "roles": ["read"],
  "recipients": [
    {
      "objectId": "<API-client-application-object-id>"
    }
  ]
}

Response:

{
  "error": {
    "code": "invalidRequest",
    "message": "The request is malformed or incorrect.",
    "innerError": {
      "date": "2024-07-09T23:00:50",
      "request-id": "<request-id>",
      "client-request-id": "<client-request-id>"
    }
  }
}

First, is what I'm trying to do even possible? Can an API application using delegated permissions invite another API application that uses client credentials to access a folder? Is there another preferable approach? The end goal is that someone can log in using OAuth for the first application, browser their folders and select one that the client-credentials application can access going forward. (The client-credentials application runs in a background process and can't be dependent on the OAuth token.)

And second, if this is the right approach, is there anything obviously wrong with my request? The JSON seems to match the driveItem-invite docs here.

Any help is greatly appreciated. Thanks in advance!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,343 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,875 questions
{count} votes

Accepted answer
  1. Ling Zhou_MSFT 18,325 Reputation points Microsoft Vendor
    2024-07-10T05:21:40.72+00:00

    Hi @Rush, Jason

    Thank you for posting in this community.

    No, it is not possible for an API application using delegated permissions to invite another API application that uses client credentials to access a folder.

    As described in the document you provided, recipients can only accept a set of users as parameters and cannot accept an application.

    User's image

    If you use delegated permissions, you can only send a sharing invitation to a user and then access the files that the user has permission to access.

    Hope this helps you.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.