AD External user can't get access to personal One-Drive through .NET Core Web API using MS Graph API
Hi,
This has been troubling me for some time now most likely due to my lack of understanding of how things work. Although, I managed to secure both a Client React and a .NET Web API, I am still struggling with listing files of authenticated users from their personal One Drive account. So really the question is, can a member of a private organization/tenant have access to his/her One Drive from the applications secured by the same organization he/she belongs to without having an O365 personal license?
Back Story:
- I created a new tenant called Valhalla
- This tenant is lined to an O365 license
- I registered 2 apps, 1 Client React and 1 Web API
- I configured an access scope and added MS Graph proper scopes to the API. Most notably, Files.*
- I created 2 applications, 1 React Client and 1 .NET Core Web API
- React Client authenticates the client and uses the access token to communicate with the .NET Core Web API
- The .NET Core Web API in turn, requests another token of behalf of flow to MS Graph
- Both applications are secured with the tenant and app registration information.
- Valkyrie is a new user invited and becomes a full member of the clan
- Valkyrie has no O365 license
- Valkyrie has only a personal One Drive
- Valkyrie wishes to see a listing of files from her personal One Drive account on the React Client
- Valkyrie gets the humiliating treatment of the notAllowed" followed by "You do not have access to create this personal site or you do not have a valid license"
- Valkyrie doesn't understand since the consent has been given by the admin
Implementation: The Postman way
Step 1: Authorization Code Flow
Get https://login.microsoftonline.com/Valhalla/oauth2/v2.0/authorize?
response_type=code&
client_id={My_React_Client_Id}&
scope=openid%20offline_access&
redirect_uri=http://localhost:3000/signin-oidc&
code_challenge={My_Code_Challenge}&
code_challenge_method=S256
Step 2: Request Access/Refresh Tokens
POST https://login.microsoftonline.com/Valhalla/oauth2/v2.0/token
redirect_uri: http://localhost:3000/signin-oidc
client_id: {My_React_Client_Id}
grant_type: authorization_code
scope: https://Valhalla.onmicrosoft.com/api/access.scope
code: {My_Code_From_Above}
code_verifier: {My_Code_Verifier}
Step 3: User Access Application Data
Step 4: On-Behalf-Of flow
Here the Web API requests a new token to call MS Graph to list Personal One Drive files
POST https://login.microsoftonline.com/Valhalla/oauth2/v2.0/token
client_id: {My_WebAPI_Client_Id}
grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
scope: https://graph.microsoft.com/.default
assertion: {Access_Token_From_Above}
requested_token_use: on_behalf_of
At this point I get an access with the following scopes:
"scope": "profile openid email https://graph.microsoft.com/Files.Read https://graph.microsoft.com/Files.Read.All https://graph.microsoft.com/Sites.Read.All https://graph.microsoft.com/User.Read https://graph.microsoft.com/.default",
Step 5: Access MS Graph Resources
GET https://graph.microsoft.com/v1.0/me/drive/root/children
Authorization: Bearer + Token from above
Response:
{ "error": { "code": "notAllowed", "message": "You do not have access to create this personal site or you do not have a valid license", "innerError": { "date": "2021-04-10T15:59:38", "request-id": "5d9c489d-6737-413f-88b9-c19ff93edf9d", "client-request-id": "5d9c489d-6737-413f-88b9-c19ff93edf9d" } } }
Please help