Anonymously read and upload to publicly shared OneDrive folder using MS Graph API

Question

Anonymously read and upload to publicly shared OneDrive folder using MS Graph API

Romas Markovcinas 10

Hello MS Team,

I am working on a web based solution that should allow reading publicly shared OneDrive folder by organizational and anonymous users using MS Graph API. I use jQuery aJax to make requests to the API.

I have created publicly shared OneDrive item with anyone with link can read and edit permissions. I can access and upload files to this link without logging in.
I am trying to access this folder through MS Graph endpoints below. If I provide access token, everything works as expected. I can read permissions with scope : "anonymous" and type : "edit". However if user is not logged in and access token is absent, the MS Graph return 401 unauthorized response for each three requests.

   GET https://graph.microsoft.com/v1.0/shares/{shareID}/driveID
   GET https://graph.microsoft.com/v1.0/drives/{driveID}/items/{itemID}
   POST https://graph.microsoft.com/v1.0/drives/{driveID}/items/{itemID}/createUploadSession

   [@odata.context] => https://graph.microsoft.com/v1.0/$metadata#permission
   [@odata.type] => #microsoft.graph.permission
   [id] => 9c697ba7-65bb-4b4e-bbc2-****
   [roles] => Array
               (
                  [0] => write
               )
   [shareId] => u!aHR0cHM6Ly9zZWFn****
   [hasPassword] => 
   [link] => Array
               (
                  [scope] => anonymous
                  [type] => edit
                  [webUrl] => https://{tenant}-my.sharepoint.com/:f:/g/personal/****/Ejj1aTBov-BFjqhJ***
                  [preventsDownload] => 
               )

How is it possible to access publicly shared OneDrive folder when user is anonymous (i.e. when accessToken is not available)?

Alternatively - is it possible to create some kind of context token, than anonymous users can use to access publicly shared folders?

RichG 10 Reputation points

2023-04-03T20:03:38.2766667+00:00

The inability to access Onedrive files/folders with a share link that is supposed to work for anyone has been going on for YEARS and there are only BS answers and no movement by MS to fix the issue. I think your best method would be to use a file sharing service other than Microsoft/OneDrive I have this same issue and a Google search reveals people with the same issue since at least 2019 - all of which get non-answers from experts and the issue never gets properly resolved.
Romas Markovcinas 10 Reputation points

2023-04-03T23:27:09.01+00:00

By now I have found following in MS Graph documentation:

For OneDrive for Business and SharePoint, the Shares API always requires authentication and cannot be used to access anonymously shared content without a user context.

The keyword here is "without a user context". If I anonymously open shared OneDrive link in my browser and then make MS Graph request to get shared items - I receive expected response. If I do not open shared link first, MS Graph response is 401 unauthenticated. Apparently, MS OneDrive web application creates "Guest Contributor" user context (and, I assume, assigns access token for that Guest User). This makes me wonder, is it possible to get Microsoft account guest token as it is described in this documentation?
Romas Markovcinas 10 Reputation points

2023-04-03T23:30:30.3933333+00:00

After researching this issue for a week, I cannot agree more with you sir. Unfortunately my clients will be not willing to migrate to other service at least for now. This leaves me with great challenge to solve..!

2 answers

Your answer

RichG 10 Reputation points

2023-04-03T20:03:38.2766667+00:00

The inability to access Onedrive files/folders with a share link that is supposed to work for anyone has been going on for YEARS and there are only BS answers and no movement by MS to fix the issue. I think your best method would be to use a file sharing service other than Microsoft/OneDrive I have this same issue and a Google search reveals people with the same issue since at least 2019 - all of which get non-answers from experts and the issue never gets properly resolved.
Romas Markovcinas 10 Reputation points

2023-04-03T23:27:09.01+00:00

By now I have found following in MS Graph documentation:

For OneDrive for Business and SharePoint, the Shares API always requires authentication and cannot be used to access anonymously shared content without a user context.

The keyword here is "without a user context". If I anonymously open shared OneDrive link in my browser and then make MS Graph request to get shared items - I receive expected response. If I do not open shared link first, MS Graph response is 401 unauthenticated. Apparently, MS OneDrive web application creates "Guest Contributor" user context (and, I assume, assigns access token for that Guest User). This makes me wonder, is it possible to get Microsoft account guest token as it is described in this documentation?
Romas Markovcinas 10 Reputation points

2023-04-03T23:30:30.3933333+00:00

After researching this issue for a week, I cannot agree more with you sir. Unfortunately my clients will be not willing to migrate to other service at least for now. This leaves me with great challenge to solve..!

Answer 1

Zehui Yao_MSFT 5,876

Hi Romas Markovcinas , you can also choose to open a support case with Microsoft Graph, a backend Support Engineer will be able to assist you better. You can raise support ticket from http://aad.portal.azure.com/ or https://admin.microsoft.com/#/support/requests.

Answer 2

Jakob Hohlfeld 0

So it seems you are stuck with setting up an app and authenticating your requests to sharepont items via the graph api: https://learn.microsoft.com/en-us/graph/use-the-api

Share via

Anonymously read and upload to publicly shared OneDrive folder using MS Graph API

2 answers

Your answer