access denied when trying to access "/users/#{user_id}/drive/root/children" in graph api

Question

Hello everyone, I want to download an excel file that is shared across users of our company in onedrive. I am using application permissions (so not on behalf of) and I'm able to get an access_token.
With the token I'm able to list users with a get request to the "/users" endpoint and grab the id of the original owner of the file, but then when I try to access the file with

GET /users/{userId}/drive/items/{item-id}/content

I get "access denied"
What am I missing?

EDIT:
Everything I've done:

1. Registered my app in microsoft entra
2. Generated client secret
3. With client secret, request a token and store it in the db

      base_uri "https://login.microsoftonline.com"
         options = {
            headers: { "Content-Type" => "application/x-www-form-urlencoded" },
            body: {
              client_id: ENV["CLIENT_ID"],
              scope: "https://graph.microsoft.com/.default",
              client_secret: ENV["CLIENT_SECRET"],
              grant_type: "client_credentials",
            },
          }
      
          response = post("/#{ENV["TENANT_ID"]}/oauth2/v2.0/token", options)
   

4. With token, list users and grab the id of the original creator of the file

Answer 1

Hi @Andrea Cracchiolo

Calling the /users/{user_id}/drive/root/children API requires the Files.Read.All application permission. Check if your calling app has that permission.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Answer 2

Hello Andrea Cracchiolo,

Thanks for reaching out to Microsoft Support!

It sounds like you’ve set up most of the necessary steps correctly, but there might be a few additional permissions or configurations needed to access the shared file. Here are some things to check:

1. Permissions Scope: Ensure that your application has the correct permissions to access the file. For downloading files, you typically need Files.Read.All or Files.ReadWrite.All permissions. You can check and update the permissions in the Azure portal under your app’s API permissions.
2. Access to Shared Files: If the file is shared with the user, you might need to use the /me/drive/sharedWithMe endpoint to list shared files and then access the file using the item ID from this list. The endpoint /users/{userId}/drive/items/{item-id}/content might not work if the file is not directly owned by the user.
3. Token Scope: Verify that the token you are using has the necessary scopes. You can decode the token using a tool like jwt.io to check the scopes included.
4. File Permissions: Ensure that the file permissions allow the application to access it. The file owner might need to grant explicit permissions to the application.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.