Share via

OneDrive: Receive statuscode 401 using the uploadUrl returned by createUploadSession if MFA is enabled for the authenticated user

Jan N 0 Reputation points
2025-02-07T09:40:53.4966667+00:00

Hi,

maybe someone here can help me. We have an implementation for OneDrive in our application, where we synchronise the files that our users create with us to their OneDrive.

The whole thing has been working like this for several years now. However, we are now receiving error messages stating that if a user has activated MFA for their Microsoft account, it is no longer possible to upload or back up the files.

We use the oAuth2.0 Authorisation Code Flow. Authentication via oAuth2.0 does not cause any problems.

I could replicate the issue. My account had not yet activated MFA and the API-Calls went through. After i've enabled MFA the issue occurred and started to receive 401 while using the uploadUrl.

We request the following scopes: 

Files.ReadWrite files.readwrite.appfolder offline_access

We create an upload session with the following call:

PUT https://graph.microsoft.com/v1.0/me/drive/special/approot:/./Documents/2025/Invoices/Invoice-1.pdf:/createUploadSession

and receive the following response


{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.uploadSession",
    "expirationDateTime": "2025-02-07T09:35:01.862Z",
    "nextExpectedRanges": [
        "0-"
    ],
    "uploadUrl": "https://my.microsoftpersonalcontent.com/personal/7898f6b97149d0dc/_api/v2.0/drive/items/01ZRWI7Z6JUWBJHTED3BA3JWKOSHUK5UJQ/uploadSession?guid='d590eeeb-cd93-42c1-8f7c-7d916fa812cf'&overwrite=True&rename=False&dc=0&tempauth={omittedAuth}"
}

We use the uploadUrl from the response for the following call:

PUT https://my.microsoftpersonalcontent.com/personal/7898f6b97149d0dc/_api/v2.0/drive/items/01Z
https://my.microsoftpersonalcontent.com/personal/7898f6b97149d0dc/_api/v2.0/drive/items/01ZRWI7ZZW26VAYIAGNBBJGKKVFSE6ZM2B/uploadSession?guid='9fbe3626-1422-4f81-bfe4-a3a7570d56e0'&overwrite=True&rename=False&dc=0&tempauth={omittedAuth}

and receive the following response:

{
    "error": {
        "code": "unauthenticated",
        "message": "Unauthenticated"
    }
}

This only happens if the user has activated MFA. If it is deactivated, all API calls go through successfully.

Can someone explain this behaviour to me? Does anyone have the same error?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,328 questions
OneDrive
OneDrive
A Microsoft file hosting and synchronization service.
1,322 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Emi Zhang-MSFT 29,291 Reputation points Microsoft External Staff
    2025-02-10T01:56:22.8233333+00:00

    Hi,

    Since your question is related to code in OneDrive, I suggest you post the thread to the OneDrive for Developer development forum:

    https://techcommunity.microsoft.com/category/onedriveforbusiness/discussions/onedrivedeveloper

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.

    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.