Accessing publicly shared files/folders via Graph API

Question

Accessing publicly shared files/folders via Graph API

Mateusz Bialek 1

Hello,

I'm developing a program that should access the files that are shared "to anyone with the link". I need to do it with my developer account so the user won't be prompted to login (I use application permissions), however after many tries I can't find the proper way to do it.

Currently I am using a free test developer tenant (further called developer account) which will be used by my app and my private account, from which I want to get files/folders.

What I want to achieve is to be able to access the folder and its contents that was shared by anyone from his/her personal OneDrive in my app, using the credentials created in developer account. I've created App Registration, created Client Secret, added Application Permissions (Files.ReadWrite.All) and am able to get the token correctly via API:

(POST) https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token  
using correct   
"tenant",  
"client_id",  
and "client_secret" parameters,   
"scope": "https://graph.microsoft.com/.default"  
and "grant_type": "client_credentials"

Next I get the shareable link to the folder from my personal OneDrive and I encode it as instructed here.

However when I'm trying to access it via API I get the 403 Forbidden status and the message:

(GET) https://graph.microsoft.com/v1.0/shares/<correctlyEncodedURL>  
{  
    "error": {  
        "code": "accessDenied",  
        "message": "The sharing link no longer exists, or you do not have permission to access it.",  
        "innerError": {  
            "date": "2022-06-01T01:21:40",  
            "request-id": "1ba25cb7-6557-42ca-b046-e63a9dff65ae",  
            "client-request-id": "1ba25cb7-6557-42ca-b046-e63a9dff65ae"  
        }  
    }  
}

I know that the Bearer Token is correct, because the /shares/ request works properly when accessing files or folders created in the developer OneDrive, inside the test tenant. I want however to be able to access ALL publicly accessible files...

Furthermore, during my investigation I was also trying to set it from the API context, thinking that maybe the problem is somehow incorrectly shared file, so I used the Graph Explorer as below:

(POST) https://graph.microsoft.com/v1.0/drives/<driveID>/items/<itemID>/createLink  

{  
  "type": "view",  
  "scope": "anonymous"  
}

using credentials from the private account. It works, I get the ShareId value and also a WebUrl value.

Using Graph Explorer, I can access the folder using (GET) https://graph.microsoft.com/v1.0/shares/<ShareID> or https://graph.microsoft.com/v1.0/shares/<encodedWebURL> but ONLY when signed in with my private account. I get proper id, @odata.context etc.

When using developer account the result is the same as above - "The sharing link no longer exists, or you do not have permission to access it."

I will really appreciate if you help me find the solution to my problem.

Thanks,
Mateusz

CarlZhao-MSFT 46,431 Reputation points

2022-06-01T10:31:34.443+00:00

Hi @MateuszBiaek-3997, let me research this issue.
Vicky Kumar (Mindtree Consulting PVT LTD) 1,161 Reputation points Microsoft Employee

2022-06-03T08:27:54.287+00:00

Hi @MateuszBiaek-3997
Thanks for reaching out to us, I wondered if you have the required permission for your developer account, could you please get the permission details of the shared folder - GET /me/drive/items/{item-id}/permissions/{perm-id}
ref doc - https://learn.microsoft.com/en-us/graph/api/permission-get?view=graph-rest-1.0&tabs=http

you can check the perm-id from list of permissions - GET /me/drive/items/{item-id}/permissions
ref doc - https://learn.microsoft.com/en-us/graph/api/driveitem-list-permissions?view=graph-rest-1.0&tabs=http

Mateusz Bialek 1

Hello!

Here's what I get after requesting the permission details for the read permission:

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('ernshow%40o2.pl')/drive/items('E22241F7EB2214%21436')/permissions/$entity",
    "id": "xkHG7NRcO82nz6ks_5BuOjqSWy8",
    "roles": [
        "read"
    ],
    "shareId": "s!AhQi6_dBIuIAgzRHkbhlm7-K6ixz",
    "expirationDateTime": "0001-01-01T00:00:00Z",
    "hasPassword": false,
    "link": {
        "type": "view",
        "webUrl": "https://1drv.ms/u/s!AhQi6_dBIuIAgzRHkbhlm7-K6ixz",
        "application": {
            "id": "4c1ad100"
        }
    }
}

Mateusz Bialek 1 Reputation point

2022-06-04T13:43:54.233+00:00
I achieved it using Graph Explorer on my personal account, which I'm using right now (******@o2.pl).

Then I tried to enter the link "webUrl" in private mode in my browser, it works fine, giving read access without any need to login. However when I click Login and try to authenticate with my developer account, I get information that such account does not exist...

I'm curious if it has something in common with the developer account being the "company" account and not personal Microsoft account. Maybe that's the problem? However I still don't understand this behaviour...

Moreover when I'm trying to execute the GET /shares/{shareID} (i.e. /shares/s!AhQi6_dBIuIAgzRHkbhlm7-K6ixz) request with this dev account logged into Graph Explorer, I get such 400 error:

"code": "invalidRequest", "message": "The provided share id was malformed."
Vicky Kumar (Mindtree Consulting PVT LTD) 1,161 Reputation points Microsoft Employee

2022-06-07T06:42:33.997+00:00

Sorry, as you mentioned in starting you got access denied error with "message": "The sharing link no longer exists, or you do not have permission to access it.", but now you got 400 with error: "account not found" which make us confused to find out the actual problem .could you please explain the issue again with a related screenshot what you are doing and request id and timestamp of the error , which will help us to find out the actual problem, Thanks .
Mateusz Bialek 1 Reputation point

2022-06-07T11:29:58.373+00:00
The difference occurs when using sharing link or encoded url. It works both ways for personal account, for developer account it shows "The provided share id was malformed." for sharing link (s!AhQi6_dBIuIAgzRHkbhlm7-K6ixz) and "The sharing link no longer exists, or you do not have permission to access it." for encoded url (u!aHR0cHM6Ly9vbmVkcml2ZS5saXZlLmNvbS8_YXV0aGtleT0lMjFBRWVSdUdXYnY0cnFMSE0maWQ9RTIyMjQxRjdFQjIyMTQlMjE0MzYmY2lkPTAwRTIyMjQxRjdFQjIyMTQ).

Here I attach screenshots with request ids:

Encoded personal account

"request-id": "d2b583c7-b73c-4b14-89b3-fb5df8c5c8b4"

Sharing link personal account

"request-id": "7d9fbdad-cd46-494b-9e11-c670ab8cea0c"

Encoded url dev account

"request-id": "4624caf9-9744-4ee0-a067-fd6c6cbd045d" "date": "2022-06-07T11:27:11"

Sharing link dev

"request-id": "43a015da-c825-4452-872b-ae44c4f0002c"
Mateusz Bialek 1 Reputation point

2022-06-13T12:51:46.34+00:00

@Vicky Kumar (Mindtree Consulting PVT LTD) @CarlZhao-MSFT
Do you have any ideas towards the problem?
Mateusz Bialek 1 Reputation point

2022-07-19T23:53:48.893+00:00

@CarlZhao-MSFT @Vicky Kumar (Mindtree Consulting PVT LTD)

Hello, is there any chance for the answer? :)
AppAdmin 0 Reputation points

2023-10-12T13:40:16.8066667+00:00

Hello Mateusz, did you ever manage to resolve your issue? I have exactly the same error message and have done most of the research you have done, but can't seem to find a solution.