OneDrive Sharing and Graph "/invite" Endpoint Now Creating Guest Users?

Question

I have an application that integrates with OneDrive via the Graph API, and leverages OneDrive sharing features.

Recently I got a new Microsoft E5 dev license, and I've noticed that the sharing workflows and API results are different on this license than on my previous license, and the enterprise licenses of my clients that use the application. All instances are using v1 of the API.

On my new license, when I share a OneDrive file/folder using the "/invite" endpoint of the API, it adds the external email I'm sharing with as a Guest on my M365 tenant. It did not do this before.

The initial result of the API call to the /invite endpoint is the same as it was previously:

[{         'roles': ['read'],        
'grantedToIdentities': [{
                'user': {
                    'email': '<external email>'
                }
        }],
        'invitation': { 'signInRequired': True },
        'link': {
            'type': 'view',
            'webUrl': '<link URL>'
    } }]

However, if I share another file/folder with the same external email, the response is different:

[{
    'id': '<permission ID>',
    'roles': ['read'],
    'grantedTo': {
        'user': {
            'email': '<external email>',
            'displayName': '<external email (minus domain)>'
        }
    }
}]

As you can see, the response now contains "grantedTo" instead of "grantedToIdentity". The response also does not contain a link URL, and I need to perform an extra API call on the permissions of the shared item in order to find the link. This response format matches the responses I expect when I share with internal emails on my tenant, and I can see in the admin centre that the external email has been added as a Guest user.

With my old license, and my clients' licenses, external recipients were not added as guests on the M365 tenant, and sharing multiple drive items with the same external user always returned the same format of API response (always including the link URL).

 

Shared Item Access Workflow

With my new license, when I use the link to access the shared item with my external email, I am now prompted to provide permissions to my account for the OneDrive tenant (email and tenant domain redacted here for privacy):

I am also prompted to set up MFA:

With the previous workflow, I just had to enter my email address, then verify the email with a code. I was not prompted to grant permissions or set up MFA. This seems needlessly complicated for sharing drive items with external users, particularly those that are not tech-savvy.

Why is the sharing workflow so different on my new dev license? Can I adjust the settings on my tenant to prevent this, or is this how sharing will work going forward? If so, when can I expect this to change for my clients' license? I see no mention of this in the Graph API reference for the Invite endpoint, and I can't find any mention of the change online.

I've reviewed the sharing settings in the Sharepoint Admin Centre. However, these are identical to the settings on my old license. I've tried messing with the External Collaboration settings in Entra to prevent guest users from being created, but this prevents me from sharing with external users altogether. I can't find any other settings that may control this behaviour.

Please help!

Answer 1

Hi @Stephane Fagnan,

Thanks for your detailed explanation, I am more than willing to help you out.

Question 1: /invite endpoint

First of all, license does not affect the response to MS Graph requests.

We suspect that there should be some difference between your two requests causing the response to be different. Here's the official documentation about the difference between "grantedTo" and "grantedToIdentity":

We only distinguish between them when using the /permissions endpoint: grantedTo is used to add user access to a folder or file, while grantedToIdentity is used to add user access to a site.

Reference: Granular permissions for working with files, list items and lists added to the Graph API!

Note: Non-official, just for reference.

If it is convenient, please share your two requests (including the body of the request) with me, we will need to take further research at your request to confirm why the problem is occurring. Please be careful not to disclose your private information.

Question 2: Shared Item Access Workflow

According to the image you provided, your external users are experiencing the Consent experience for the guest prompt.

One possible reason is your tenant might have enabled Microsoft Entra B2B integration, which replaces the one-time passcode experience (SharePoint external authentication). This requires external users to use guest accounts. In this case, I recommend you contact your tenant admin or IT team and check if they have enabled the integration.

This thread documents similar problems and you can see if the solution it offers works.

Question 3: Setting up the MFA prompt.

You are being prompted to set up Multi-Factor Authentication (MFA) because Microsoft has implemented security defaults to enhance account security. These defaults require all users to register for MFA to protect against identity-related attacks like password spray, replay, and phishing.

To disable MFA for a specific user, you can follow these steps:

1. Sign in to the Microsoft 365 admin center.
2. Select the Users tab, and then select the user you want to change.
3. On the user details page, scroll down to the Security & Permissions section.
4. Click the Edit button and select Disable in the Multi-Factor Authentication drop-down menu.
5. Click the Save Changes button to save your changes.

If you don't have admin access, you'll need to contact your global admin to make these changes for you.

To disable Multi-Factor Authentication (MFA) for your entire tenant, you need to adjust the security settings in the Microsoft Entra admin center (formerly Azure AD).

Here are the steps:

1. Sign in to the Microsoft Entra admin center as a security administrator, Conditional Access administrator, or global administrator.
2. Navigate to Identity > Overview > Properties.
3. Select Manage security defaults.
4. Set Security defaults > Manage Conditional Access> Click Multifactor authentication for Microsoft partners and vendors> Off this policy.
5. Save your changes.

If you have any questions, please do not hesitate to contact me.

Moreover, if the issue can be fixed successfully, please click "Accept Answer" so that we can better archive the case and the other community members who are suffering the same issue can benefit from it.

Your kind contribution is much appreciated.

Answer 2

Based on @Ling Zhou_MSFT 's reply I was able to determine that this has to do with Sharepoint and OneDrive integration with Microsoft Entra B2B.

I could not find a way to disable the integration on the Entra portal, but the article linked above gave me a Powershell command to do it (with the "Sharepoint Online Management" module):

Connect-SPOService -Url https://{tenant}-admin.sharepoint.com
Set-SPOTenant -EnableAzureADB2BIntegration $false

I am now able to share with external users without them automatically being added as guests, and requiring granting permissions and MFA setup.