I am trying a graph API endpoint for an external user (has Microsoft personal account in o365 and invited as guest user from Azure AD. Same external user has given access (Share) for a specific SharePoint site and can login to SharePoint directly to view/access files/folders. I am trying the following endpoint from Postman, via Authorized user credential, I get the access token after being prompted for Microsoft Online login (Email and Password), and I pass the same token to the graph API POST request. https://graph.microsoft.com/v1.0/sites/myCompanyName.sharepoint.com/drives/{drive-id}/root/children
I get response as unauthorized from graph endpoint. But then I open the SharePoint site and login as the external user on a separate Chrome incognito window. First, it doesn't ask my credential (that I just provided for the Postman request). And now I go back to postman and click send button, now I get all the data as expected.
I am working a a prototype using MVC ASP.NET C# (not Core) to test if Graph API/SDK can be used in our project. This is a strange issue and I have the same experience while running the .NET application. From my .NET MVC app, I can get On Behalf Of token for the external user, and pass it to Graph API/SDK, it fails. But when I open the SharePoint site for the same site and same user, and make a retry attempt on the .NET app, everything works as expected.
Note: While executing the same code (.NET) as internal user, I never get into any issues. It points to the configuration of external user (Microsoft online account - personal) in Azure AD or SharePoint. But I verified all access, permissions and everything seems ok. Microsoft support mentioned an error code SiteExtranetUsersDisabled which stops me from accessing (and possibly when I login to the SharePoint site, it recognizes me via SSO and allows my access till the access token expires! Anyone had the same/similar issues?