User not able to acess drive Item shared from external tenant's onedrive via Graph API

Kuldeep Raj Tiwari 1 Reputation point
2024-11-27T11:55:15.79+00:00

**An external user is unable to access drive items shared from another tenant's OneDrive using the Microsoft Graph API, even though they can access the item through the web interface (SharePoint). The Graph API GET /drive/items/{item-id} returns a 403 error despite proper sharing and external user authentication.

Steps to Reproduce**:

  • Share an item from user's personal OneDrive in Tenant A to an external user in Tenant B.
  • Attempt to access the shared item via the Graph API.

API Endpoints Involved:

  • GET /drive/items/{item-id}.

Further Details:
User X from tenant A share an Item from his onedrive to User Y from tenant B:
Endpoint for sharing document:
POST: https://graph.microsoft.com/v1.0/drives/b!Tf347mYdz0-zWP3yfpMv8HdcnCS7j3pLoP9_NjFW0tv6EGV3zO-ATYkUDVeXF4_q/items/01GA5MEKR4EKL6SI7HLVFJXC7RHOGC7SEE/invite**
Payload:**

{
  "recipients": [
    {
      "email": "<user's email id>"
    }
  ],
  "message": "",
  "requireSignIn": true,
  "sendInvitation": false,
  "roles": [
    "read"
  ]
}

Response header

{
	client-request-id:"a925a561-9b2e-43e4-a22a-2320341611db",
	content-encoding:"gzip",
	content-type:"application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8",
	location:"https://graph.microsoft.com",
	odata-version:"4.0",
	request-id:"85bede14-cd29-4088-83c0-0813bdcff71c"
}

When User Y tries to access the Document:
Endpoint:
GET https://graph.microsoft.com/v1.0/drives/b!Tf347mYdz0-zWP3yfpMv8HdcnCS7j3pLoP9_NjFW0tv6EGV3zO-ATYkUDVeXF4_q/items/01GA5MEKR4EKL6SI7HLVFJXC7RHOGC7SEE
Response header (403 access denied)

{	
	client-request-id:"b25cf203-d385-44e3-9bf7-fc6244f0c9b9"
	content-type:"application/json; charset=utf-8"
	date:"Wed, 27 Nov 2024 10:05:37 GMT"
	request-id:"7509ca0a-21fc-4993-a2f4-9d11ca2010d8"
}

Response :

{
  "code": "accessDenied",
  "message": "Access denied"
}
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,526 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
3,124 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Xyza Xue_MSFT 26,356 Reputation points Microsoft Vendor
    2024-11-28T08:22:06.4266667+00:00

    Hi @Kuldeep Raj Tiwari ,

    Thank you for postig in this community.

    1.After my tests,POST /drives/{drive-id}/items/{item-id}/invite: Sends a sharing invitation for a driveItem. A sharing invitation provides permissions to the recipients and optionally sends them an email with a sharing link.

    It simply sends a clickable shared connection and does not grant you access to it using the API, you can simply view it via the email link.

    2.Also: GET https://graph.microsoft.com/v1.0/drives/b!Tf347mYdz0-zWP3yfpMv8HdcnCS7j3pLoP9_NjFW0tv6EGV3zO-ATYkUDVeXF4_q/items/01GA5MEKR4EKL6SI7HLVFJXC7RHOGC7SEE

    You can't access files in other people's onedrive through the API. This is because the post invite code you used above does not grant access, and secondly User Y from tenant B must exist as a guest member in tenant A to access User X's onedrive.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Kuldeep Raj Tiwari 1 Reputation point
    2024-11-28T09:29:15.5833333+00:00

    Hi @Xyza Xue_MSFT

    Thanks for looking into the issue.
    After sending invite call, I am able to see the external user have been granted the access, by clicking Manage access button.
    Also user Y from tenant B exist as a guest member in Teanant A.

    Please look into the issue again.
    Thanks!


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.