Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Acquire an exclusive lock on a file represented by a driveItem, or extend an existing lock you already hold. While the lock is held, other users are prevented from acquiring a lock on the same file. The lock automatically expires after the duration specified in the request elapses.
Note
This API applies only to driveItems that represent files. Locks can't be applied to folders or other non-file driveItems. Requests that target a non-file driveItem are rejected with 400 Bad Request.
A single endpoint handles both initial acquisition and refresh. The server determines which behavior applies based on the file's current lock state and the caller's identity. The caller doesn't need to track whether they previously locked the file, and doesn't need to manage a lock identifier.
Only exclusive locks are currently supported.
Permissions
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Files.ReadWrite | Files.ReadWrite.All, Sites.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Files.ReadWrite.All | Sites.ReadWrite.All |
Note
SharePoint Embedded requires the FileStorageContainer.Selected permission to access the content of the container. This permission is different from the ones mentioned previously. In addition to Microsoft Graph permissions, your app must have the necessary container type permissions to call this API. For more information, see SharePoint Embedded authentication and authorization.
HTTP request
POST /drives/{drive-id}/items/{item-id}/lock
Request headers
| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
Request body
In the request body, supply a JSON representation of the lock parameters.
| Property | Type | Required | Description |
|---|---|---|---|
| durationMinutes | Int32 | Yes | Lock duration in minutes. Must be between 1 and 30 minutes. The lock expires at the request time plus this value. |
The lock identifier and lock type are server-determined and must not be provided by the caller.
Response
The server determines whether this request acquires a new lock or refreshes an existing one based on the file's current lock state and the caller's identity:
| Current state | Caller identity | Action |
|---|---|---|
| File isn't locked, or the existing lock expired. | Any caller with permission. | Acquire a new lock. |
| File is locked, and the caller holds the lock. | Same caller as the lock owner. | Refresh the existing lock; expirationDateTime is updated. |
| File is locked by another user. | Different caller. | Return 409 Conflict. The caller can't acquire a lock until the existing lock is released or expires. |
If successful, this method returns a 200 OK response code and a lockInfo resource in the response body.
This method returns the following error response codes.
| HTTP code | Description |
|---|---|
| 400 | Bad request. The durationMinutes is missing, non-positive, or exceeds the 30-minute maximum. Also returned when the target driveItem isn't a file (for example, a folder). |
| 401 | Request lacks valid authentication credentials. |
| 403 | The caller doesn't have permission to lock this file. |
| 404 | The driveItem wasn't found at the specified path. |
| 409 | The file is locked by another user. The caller must wait for the existing lock to be released or expire before acquiring a new lock. |
For more information about how errors are returned, see Error responses and resource types for differences between Microsoft Graph for Microsoft accounts and Microsoft Graph for work or school accounts.
Examples
Example 1: Acquire a lock on an unlocked file
Request
The following example shows a request.
POST https://graph.microsoft.com/beta/drives/{drive-id}/items/{item-id}/lock
Content-Type: application/json
{
"durationMinutes": 30
}
Response
The following example shows the response.
HTTP/1.1 200 OK
Content-Type: application/json
{
"lockType": "exclusive",
"expirationDateTime": "2026-05-13T14:30:00Z",
"createdDateTime": "2026-05-13T14:00:00Z"
}
Example 2: Refresh an existing lock the caller already holds
The request body is identical to the acquire case; only the file's current state differs.
Request
The following example shows a request.
POST https://graph.microsoft.com/beta/drives/{drive-id}/items/{item-id}/lock
Content-Type: application/json
{
"durationMinutes": 10
}
Response
The following example shows the response. The expirationDateTime is updated.
HTTP/1.1 200 OK
Content-Type: application/json
{
"lockType": "exclusive",
"expirationDateTime": "2026-05-13T14:39:00Z",
"createdDateTime": "2026-05-13T14:00:00Z"
}
Remarks
- Only exclusive locks are currently supported. The lockType in the response is always
exclusive. - Lock duration is capped at 30 minutes per request. For longer holds, call this API again before the existing lock expires; the call is automatically handled as a refresh.
- The new expirationDateTime is calculated as the request time plus durationMinutes; it replaces the prior expiration rather than extending it. Calling with a shorter duration than the time remaining effectively reduces the lock window.
- The createdDateTime and expirationDateTime are returned in UTC.
- This API is idempotent and retry-safe: if a network failure leaves the caller uncertain whether the lock succeeded, retrying naturally results in a refresh (if the first call succeeded) or a fresh acquire (if it didn't).