Microsoft Graph API returns "generalException" when accessing user drive via delegated access

Question

Microsoft Graph API returns "generalException" when accessing user drive via delegated access

Bonow 20

Hi, I'm trying to download files from a specific user's OneDrive using the Microsoft Graph API via a Jenkins pipeline. I’m using the client credentials flow (delegated access), and I'm able to successfully retrieve the access token from Azure AD.

However, when I call the following endpoint:

GET https://graph.microsoft.com/v1.0/users/{userEmail}/drive

…I get the following error in response:

{ "error": { "code": "generalException", "message": "General exception while processing", "innerError": { "date": "2025-04-25T05:52:36", "request-id": "<something>", "client-request-id": "<something>" } } }

Things I've verified:

I’m successfully obtaining an access token using:

grant_type=client_credentials
- scope=https://graph.microsoft.com/.default

My app has the following delegated permissions granted with admin consent:

Files.Read.All
- Files.ReadWrite.All

The userEmail used in the URL is a valid UPN and exists in our Azure AD tenant.

Note: I have implemented the above configuration using my personal account, and it works correctly.

However, it does not work for another domain account.

For example:

******@abc.com — works
- ******@xyz.com — does not work

Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-04-28T07:23:16.2333333+00:00
Hello @Bonow, I understand that you are trying to access OneDrive for another user and getting the error.

Client credential flow is not a delegated access, that means you are acting on behalf of the application, not a specific signed-in user.

Client credential flow requires application type API permissions, not delegated.

If you want to make use of delegated API permissions only then you need to make use of any user interactive flow to generate access token.

Hence if you want to access any user OneDrive in your Microsoft Entra ID tenant using Microsoft Entra ID application and using Client credential flow then you need to grant Application type API permission and generate access token.

Grant Admin consent to Files.ReadWrite.All application type API permission:

Generate access token:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token client_id: ClientID client_secret: Secret scope: https://graph.microsoft.com/.default grant_type: client_credentials

Make sure role claim contains Files.ReadWrite.All by decoding the token:

Using the above access token, I am able to call Drive API successfully of another user residing in the tenant:

GET https://graph.microsoft.com/v1.0/users/{idOrUserPrincipalName}/drive

Hope this helps! Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Accepted answer

0 additional answers

Your answer

Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-04-28T07:23:16.2333333+00:00

Hello @Bonow, I understand that you are trying to access OneDrive for another user and getting the error.

Client credential flow is not a delegated access, that means you are acting on behalf of the application, not a specific signed-in user.

Client credential flow requires application type API permissions, not delegated.

If you want to make use of delegated API permissions only then you need to make use of any user interactive flow to generate access token.

Hence if you want to access any user OneDrive in your Microsoft Entra ID tenant using Microsoft Entra ID application and using Client credential flow then you need to grant Application type API permission and generate access token.

Grant Admin consent to Files.ReadWrite.All application type API permission:

Generate access token:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token client_id: ClientID client_secret: Secret scope: https://graph.microsoft.com/.default grant_type: client_credentials

Make sure role claim contains Files.ReadWrite.All by decoding the token:

Using the above access token, I am able to call Drive API successfully of another user residing in the tenant:

GET https://graph.microsoft.com/v1.0/users/{idOrUserPrincipalName}/drive

Hope this helps! Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Answer 1

Vasil Michev 119.5K MVP Volunteer Moderator

Delegated permissions can only be used to access drives to which the signed in user has been granted access, for your scenario it's best to use application permissions instead. Moreover, if you are leveraging the client credentials flow to obtain a token, you are already running with application permissions - make sure those are correctly added and consented to in the Entra portal. Use tools such as jwt.ms to decode your access token and confirm the permissions are correctly reflected therein.

Share via

Microsoft Graph API returns "generalException" when accessing user drive via delegated access

0 additional answers

Your answer