Issue with generating document preview using OneDrive/Sharepoint REST API

Question

Hi,

Our application's sharepoint integration is encountering an error when opening document preview URLs generated using the Microsoft Graph POST /drives/{driveId}/items/{itemId}/preview API for SharePoint (OneDrive for Business) files. The preview URL is generated successfully and returned by the API, but opening the URL sometimes results in a error:

The item might not exist or is no longer available

This item might have been deleted, expired or you might not have permission

to view it. Contact the owner of this item for more information.

API docs page I referred when developing this feature previously:

https://learn.microsoft.com/en-us/onedrive/developer/rest-api/api/driveitem_preview

I know that

• The file exists in SharePoint, has user permissions
• The preview URL is freshly generated (not cached or reused)
• The same file is accessible via /createLink edit/view URLs (though requires authentication on web, hence we dont want to use the "view" parameter)

Additional Context: Access Token and Permissions

Following are the permissions that my app-registration has:

• Domain.Read.All (application)
• Files.ReadWrite.All (application)
• User.Read (delegated)

And I get the access token POST https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/token API with following parameters

{

  "client_id": "<client-id>",

  "client_secret": "client-secret",

  "scope": "https://graph.microsoft.com/.default",

  "grant_type": "client_credentials"

}

This application access-token is then used to call the /preview API.

I also have discovered some suggestions on using delegated-user tokens for /preview. But MS Graph documentation says the /preview API supports Application permissions, and this approach has worked fine for our app, until now.

I want to know:

• Why this scenario is failing in particular casess?
• Whether this behavior is expected or has changed recently?
• Whether there is a supported way to reliably use /preview with app-only tokens, or if user-delegated tokens are now required for consistent behavior?

Answer 1

Hi Chanakya (Unifize),

Thank you for posting your question in the Microsoft Q&A forum.

Based on the latest documentation for the driveItem: preview endpoint, the behavior you have observed is actually expected and aligns with the Caution section of the API.

The documentation explains that preview URLs are rendered on behalf of the calling identity and are not intended to be shared with other users. When using application (app‑only) permissions, the preview is generated under the app’s identity, not under an end user’s identity. Therefore, when an end user attempts to open this URL directly, they may not have the same permissions or authentication context as the application, which results in the error message you are seeing.

Because of this design, there are only two supported approaches if you want reliable preview behavior for end users:

1. Use /createLink to generate a shareable viewing link (subject to your organization’s sharing policies), or
2. Use delegated (per‑user) access tokens, allowing the preview URL to be opened by the same user identity that generated it.

You won’t be able to use a preview URL generated with application permissions as a general-purpose link to share with other users.

I hope this clarification is helpful. Let me know if you need further assistance.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.