Graph API /me/drive/sharedWithMe regression: returns 1 item via ROPC; UI/Graph Explorer show 6 (worked until ~2 weeks ago)

Question

Graph API /me/drive/sharedWithMe regression: returns 1 item via ROPC; UI/Graph Explorer show 6 (worked until ~2 weeks ago)

Macri Alessandro 45

Using an App Registration with delegated ROPC (username+password) for a service account, GET https://graph.microsoft.com/v1.0/me/drive/sharedWithMe returns a single item (200 OK).
The same user signed in via OneDrive web UI and Graph Explorer sees six shared items.
App registration has User.Read and Files.ReadWrite.All scopes (admin consent granted).

The security team doesn't want to add Sites.Read.All scope for security purpose (i agree with them).
BTW, this worked correctly until ~two weeks ago (six shared items was returned); no configuration or code changes were made on our side since then.

We tried to investigate, but the configurations seems all ok.

The first time we encounter this issue was on 28th of October 2025 (on 27th all worked as expected). Some days after, it returned to work properly, and now it's around 1 week that the issue has returned.

Are there known limitations or behavioral differences for /me/drive/sharedWithMe when the token is obtained via ROPC (delegated) vs interactive login or Graph Explorer?

Are additional scopes, delegated permissions, or admin consents required to enumerate all items visible in the OneDrive UI when authenticating with ROPC (if i look at document page the answer is no, but maybe something changed)?

Can sharedWithMe results depend on browser/session signals, cached indexing, or transient metadata that Graph Explorer/OneDrive UI use but ROPC-based API calls do not?

Any other ideas?

Mikkel Munck Rasmussen 85 Reputation points

2025-11-12T07:50:42.2466667+00:00

I can confirm that I have the same issue
Tjian Lam 50 Reputation points

2025-11-12T08:14:48.9066667+00:00

I have the same problem and it is causing major issues within our company. We have been using the API for at least few years now and it suddenly broke last week between November 4th - 5th. This is unacceptable.
Andy Brewood 0 Reputation points

2025-11-12T11:40:22.7466667+00:00

Can confirm I noticed this sudden change in behaviour last week around 6th/7th Nov... it broke a bunch of our automations that need access to shared OneDrive folders.
Rosen Simov 0 Reputation points

2025-11-12T12:12:56.0233333+00:00

Same here, please escalate!
Macri Alessandro 45 Reputation points

2025-11-13T14:36:32.5233333+00:00

I opened a bug to Microsoft Team, waiting for check and answer
Josué Andrade Gomes 6 Reputation points

2025-11-14T12:21:52.4366667+00:00

I have the same issue with my desktop application. Tried several accounts and the problem is the same. I experimented to grant all possible permissions (scopes) trying to mimic Graph Explorer and still no success.
afeefa tk 0 Reputation points

2025-11-17T12:05:02.8933333+00:00

@Macri Alessandro Could you please share the ticket you have opened with Microsoft team

Did you get any updates or feedback ?
afeefa tk 0 Reputation points

2025-11-20T03:32:58.9+00:00

Any updates from Microsoft side ?
Macri Alessandro 45 Reputation points

2025-11-24T11:13:50.9466667+00:00

Update:

More than a week ago, a first team contacted me to investigate the problem, but they then referred me to the Italian support team (my native language).

The Italian support team (very helpful), after indicating that ROPC is deprecated and Microsoft discourages its use (Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials - Microsoft identity platform | Microsoft Learn) and after verifying some information I provided, forwarded the ticket to the SharePoint Online team, since they should be responsible for the issue.

In reality, I received this email (i think it's an auto-generated one) which makes me doubt whether the ticket will actually be considered from SPO Team, since it appears our subscription does not cover this issue. I am trying to understand internally if we can access MSH (Microsoft Service Hub), but if someone else can open another ticket, it can be helpful.
Macri Alessandro 45 Reputation points

2025-11-24T11:23:30.2533333+00:00

Now I understand: It is NOW deprecated https://learn.microsoft.com/en-us/graph/api/drive-sharedwithme?view=graph-rest-1.0&tabs=http
Josué Andrade Gomes 6 Reputation points

2025-11-24T14:46:53.3366667+00:00

While it is deprecated and scheduled to be removed in November 2027, it should still functions correctly. Anyway, we are suggesting our customers to create a shortcut from the shared item to "My Files" directory using OneDrive's web interface and then access the shared item from that directory.
Macri Alessandro 45 Reputation points

2025-11-26T11:17:28.16+00:00

If anyone has a TAM to speak with can you report the problem (we don't have one) and tell us the answers?
Macri Alessandro 45 Reputation points

2025-12-05T14:37:21.32+00:00
How to get "Shared with me" items from OneDrive using Microsoft Graph Search API (I cooked this solution with the help of GitHub Copilot)

The Problem

I needed to programmatically retrieve all folders shared with me from other users' OneDrive (the same list you see in the "Shared with me" view in the browser).

The obvious endpoint /me/drive/sharedWithMe only returned 1 item, while the browser showed 6 folders. This API seems unreliable for OneDrive for Business.

The Solution

Use the Microsoft Graph Search API with a KQL (Keyword Query Language) filter:

POST { "requests": [{ "entityTypes": ["driveItem"], "query": { "queryString": "isDocument:false AND path:\"<other-users-onedrive-base-path>\" AND -path:\"<my-onedrive-path>\"" }, "from": 0, "size": 500, "fields": ["name", "createdBy", "parentReference", "webUrl", "id"] }] }

KQL Query Breakdown

isDocument:false → Returns only folders, excludes files

path:"<base-path>" → Filters to only personal OneDrive items (e.g., https://contoso-my.sharepoint.com/personal/)

-path:"<my-path>" → Excludes items from my own OneDrive

Key Findings

/me/drive/sharedWithMe is unreliable for OneDrive for Business - it doesn't return all shared items

Search API works perfectly - returns all items that match the criteria

KQL path: filter works with URL prefixes - you can filter by the OneDrive base URL to get only personal OneDrive items (excluding SharePoint sites)

Deduplication may be needed - Search API can return duplicates, so filter by item ID

Authentication

I used MSAL with ROPC (Resource Owner Password Credentials) flow with a service account. The app registration needs Files.ReadWrite.All and Sites.Read.All permissions.

Result

Now I can retrieve exactly the same 6 folders that I see in the browser's "Shared with me" view!

HTH

1 answer

Your answer

Mikkel Munck Rasmussen 85 Reputation points

2025-11-12T07:50:42.2466667+00:00

I can confirm that I have the same issue
Tjian Lam 50 Reputation points

2025-11-12T08:14:48.9066667+00:00

I have the same problem and it is causing major issues within our company. We have been using the API for at least few years now and it suddenly broke last week between November 4th - 5th. This is unacceptable.
Andy Brewood 0 Reputation points

2025-11-12T11:40:22.7466667+00:00

Can confirm I noticed this sudden change in behaviour last week around 6th/7th Nov... it broke a bunch of our automations that need access to shared OneDrive folders.
Rosen Simov 0 Reputation points

2025-11-12T12:12:56.0233333+00:00

Same here, please escalate!
Macri Alessandro 45 Reputation points

2025-11-13T14:36:32.5233333+00:00

I opened a bug to Microsoft Team, waiting for check and answer
Josué Andrade Gomes 6 Reputation points

2025-11-14T12:21:52.4366667+00:00

I have the same issue with my desktop application. Tried several accounts and the problem is the same. I experimented to grant all possible permissions (scopes) trying to mimic Graph Explorer and still no success.
afeefa tk 0 Reputation points

2025-11-17T12:05:02.8933333+00:00

@Macri Alessandro Could you please share the ticket you have opened with Microsoft team

Did you get any updates or feedback ?
afeefa tk 0 Reputation points

2025-11-20T03:32:58.9+00:00

Any updates from Microsoft side ?
Macri Alessandro 45 Reputation points

2025-11-24T11:13:50.9466667+00:00

Update:

More than a week ago, a first team contacted me to investigate the problem, but they then referred me to the Italian support team (my native language).

The Italian support team (very helpful), after indicating that ROPC is deprecated and Microsoft discourages its use (Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials - Microsoft identity platform | Microsoft Learn) and after verifying some information I provided, forwarded the ticket to the SharePoint Online team, since they should be responsible for the issue.

In reality, I received this email (i think it's an auto-generated one) which makes me doubt whether the ticket will actually be considered from SPO Team, since it appears our subscription does not cover this issue. I am trying to understand internally if we can access MSH (Microsoft Service Hub), but if someone else can open another ticket, it can be helpful.
Macri Alessandro 45 Reputation points

2025-11-24T11:23:30.2533333+00:00

Now I understand: It is NOW deprecated https://learn.microsoft.com/en-us/graph/api/drive-sharedwithme?view=graph-rest-1.0&tabs=http
Josué Andrade Gomes 6 Reputation points

2025-11-24T14:46:53.3366667+00:00

While it is deprecated and scheduled to be removed in November 2027, it should still functions correctly. Anyway, we are suggesting our customers to create a shortcut from the shared item to "My Files" directory using OneDrive's web interface and then access the shared item from that directory.
Macri Alessandro 45 Reputation points

2025-11-26T11:17:28.16+00:00

If anyone has a TAM to speak with can you report the problem (we don't have one) and tell us the answers?
Macri Alessandro 45 Reputation points

2025-12-05T14:37:21.32+00:00

How to get "Shared with me" items from OneDrive using Microsoft Graph Search API (I cooked this solution with the help of GitHub Copilot)

The Problem

I needed to programmatically retrieve all folders shared with me from other users' OneDrive (the same list you see in the "Shared with me" view in the browser).

The obvious endpoint /me/drive/sharedWithMe only returned 1 item, while the browser showed 6 folders. This API seems unreliable for OneDrive for Business.

The Solution

Use the Microsoft Graph Search API with a KQL (Keyword Query Language) filter:

POST { "requests": [{ "entityTypes": ["driveItem"], "query": { "queryString": "isDocument:false AND path:\"<other-users-onedrive-base-path>\" AND -path:\"<my-onedrive-path>\"" }, "from": 0, "size": 500, "fields": ["name", "createdBy", "parentReference", "webUrl", "id"] }] }

KQL Query Breakdown

isDocument:false → Returns only folders, excludes files

path:"<base-path>" → Filters to only personal OneDrive items (e.g., https://contoso-my.sharepoint.com/personal/)

-path:"<my-path>" → Excludes items from my own OneDrive

Key Findings

/me/drive/sharedWithMe is unreliable for OneDrive for Business - it doesn't return all shared items

Search API works perfectly - returns all items that match the criteria

KQL path: filter works with URL prefixes - you can filter by the OneDrive base URL to get only personal OneDrive items (excluding SharePoint sites)

Deduplication may be needed - Search API can return duplicates, so filter by item ID

Authentication

I used MSAL with ROPC (Resource Owner Password Credentials) flow with a service account. The app registration needs Files.ReadWrite.All and Sites.Read.All permissions.

Result

Now I can retrieve exactly the same 6 folders that I see in the browser's "Shared with me" view!

HTH

Answer 1

It appears that you are experiencing inconsistencies with the /me/drive/sharedWithMe endpoint when using the ROPC (Resource Owner Password Credentials) flow. Here are some points to consider regarding your situation:

Behavioral Differences: The behavior of the /me/drive/sharedWithMe endpoint may vary based on the authentication method used. ROPC does not provide the same context as an interactive login, which could lead to differences in the items returned. The Graph Explorer and OneDrive UI may utilize additional session information or caching mechanisms that are not available in ROPC.
Permissions: While you have the User.Read and Files.ReadWrite.All permissions, it is important to note that certain permissions may be required to access specific shared items. Although the documentation suggests that additional permissions should not be necessary, changes in the API or underlying data structures could affect this behavior.
Caching and Indexing: The results from the Graph API can indeed be influenced by caching and indexing. The OneDrive UI and Graph Explorer might have access to cached data or metadata that is not reflected in API calls made via ROPC, potentially leading to discrepancies in the number of items returned.
Transient Issues: Since you mentioned that this issue has appeared intermittently, it is possible that there are transient issues with the Graph API or the underlying services that may affect the results returned. Monitoring for patterns or specific conditions when the issue arises could provide further insights.
Consideration for Additional Scopes: While your security team is cautious about adding Sites.Read.All, it may be worth discussing the implications of this permission in the context of your application's functionality. If the shared items are stored in a way that requires this permission, it may be necessary to revisit this decision.

In summary, the differences in behavior you are observing could stem from the nature of ROPC authentication, potential caching mechanisms, and the specific permissions granted to your application. It may be beneficial to test with different authentication methods or to consult the Microsoft Graph documentation for any recent changes that could impact the API's behavior.

References:

Share via

Graph API /me/drive/sharedWithMe regression: returns 1 item via ROPC; UI/Graph Explorer show 6 (worked until ~2 weeks ago)

The Problem

The Solution

KQL Query Breakdown

Key Findings

Authentication

Result

1 answer

Your answer