Read a shared one drive folder of a user in the .Net application

Question

Read a shared one drive folder of a user in the .Net application

Mihir Hundiwala 20

I need to create a program which will read the files and its meta data present in a folder. This folder will be a shared one drive folder from one of the user of my organization. I am confused as to how the program will read that folder.I know that we will have to use Microsoft graph API and will need an azure app registration.

My questions are:

Is it possible for a program (which has been given access to a folder) to read the folder's content?
What permissions do I need to give to the azure app?
Will it be delegated or application level permissions?
To whom will the user share this one drive folder with, if I use delegated flow, then the user will be sharing the folder with a service account email that will be used to authenticate graphClient but with whom will the user share the folder if the authentication is done without a user (i.e., application level flow and not delegated)?

If I use delegated, then I will have to create a graphClient on behalf of a user that has access to the shared folder right? Or do I need to use application level (for background programs or daemon services) permissions. the application level permission had "__ . __ . All" type of permissions. I dont want the app to access all the folders of all the users. The user will mention the folder on my website that needs to be read and I only want access to the shared folder, how can I achieve it?

0 additional answers

Your answer

Answer 1

Mohan Joshi-MSFT 580 Microsoft External Staff

Hi Mihir Hundiwala,

Thanks for reaching out to Microsoft!

Yes, it is possible for a program to read the contents of a shared OneDrive folder using the Microsoft Graph API. You will need to ensure that the program has the necessary permissions to access the folder.

https://learn.microsoft.com/en-us/onedrive/developer/rest-api/concepts/using-sharing-links?view=odsp-graph-online

The permissions required depend on whether you are using delegated or application-level permissions:

Delegated Permissions: These are used when your app is acting on behalf of a user. You will need permissions like Files.Read, Files.ReadWrite, or Files.Read.All
Application Permissions: These are used when your app is running as a background service or daemon. Permissions like Files.Read.All or Files.ReadWrite.All are required. However, these permissions grant access to all files in all site collections, which might be broader than what you need

https://learn.microsoft.com/en-us/onedrive/developer/rest-api/concepts/permissions_reference?view=odsp-graph-online

You will need the inputs from user like Email, Folder Name and sharing URL.

Even after verifying the above, if the issue still persists, I recommend you raise a support case with Microsoft Graph, a Support Engineer will be able to look into this issue and assist you better. You can raise support ticket from New support request - Microsoft Entra admin center or https://admin.microsoft.com/#/support/requests.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.

Mohan Joshi-MSFT 580 Reputation points Microsoft External Staff

2025-04-08T16:22:35.47+00:00

Hi Mihir Hundiwala,

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions. Thank you very much!
Mihir Hundiwala 20 Reputation points

2025-04-09T05:36:46.0566667+00:00

Hi @Mohan Joshi-MSFT , thanks for taking your time for the query, according to the sources you have shared, if I am not wrong, my use case will need delegated permissions since I only want to access the folders shared to my service account and not all the files at all the sites. Please correct me if I am wrong.

Now my second question is about authorizing my app via the delegated way. I have been trying to authorize the graph client but I have not yet succeeded. Can you share the correct code template that I need to use for authentication and authorization using the client Id, tenant Id, client secret and email. My one drive account will be business one drive provided by the organization and I don't want any user intervention.
So in short, I want to login as a user using code.

Thank you.
Mohan Joshi-MSFT 580 Reputation points Microsoft External Staff

2025-04-11T08:17:00.9766667+00:00

Hi Mihir Hundiwala,

For your use case, delegated permissions are appropriate since you only want to access specific folders shared with your service account and not all files across all sites.

To authorize your app using delegated permissions without user intervention, you can use the OAuth 2.0 Resource Owner Password Credentials (ROPC) grant flow. This flow allows you to authenticate as a user using their username and password.
You can refer to below documentation:

https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc

https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http

https://learn.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=csharp

If the issue still persists, I recommend you raise a support case with Microsoft Entra Identity team, a Support Engineer will be able to look into this issue and assist you better. You can raise support ticket from New support request - Microsoft Entra admin center or https://admin.microsoft.com/#/support/requests.

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions. Thank you very much!
Mihir Hundiwala 20 Reputation points

2025-04-15T05:09:40.8366667+00:00

Finally, I just to want to confirm whether the OAuth ROPC flow require any user intervention, if I have the email and password of service account in my database I can directly use them in the program right?

Also, the second link wont really help me since it is app-only permissions. Is there something else that I have to look at in the second link?
Mohan Joshi-MSFT 580 Reputation points Microsoft External Staff

2025-04-15T07:57:29.32+00:00

Hi Mihir Hundiwala,

The OAuth 2.0 Resource Owner Password Credentials (ROPC) flow allows an application to directly handle the user's password to acquire tokens. This flow does not require user intervention if you have the email and password of the service account stored in your database.

Regarding the second link, it focuses on app-only permissions, which are used for background services or daemon apps that run without a signed-in user. Since you are looking to use delegated permissions, you can disregard the app-only permissions section. Instead, you should focus on the delegated permissions and the ROPC flow for your use case.

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions. Thank you very much!
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Share via

Read a shared one drive folder of a user in the .Net application

0 additional answers

Your answer