Geek Answers Handbook

MS Graph, daemon 401 application is unauthorized in Files.ReadWrite. All calls

UPDATE: I received a notification from Microsoft that this problem is a bug in the Graph API. They are working on a solution.

I use the new OAuth v2.0 stream to authenticate my application for use with Microsoft Graph so that it can list any user files, upload and download files from any OneDrive users, and set file permissions. This is without a user logging into the system, which runs it as a service account / daemon.

I installed the new “Converged Application” in the new application registration portal. I installed all the required region / application permissions, including Files.ReadWrite.All . (I really checked all the possible fields ...). In Microsoft Graph docs, this should be the only area needed when calling the endpoints that interest me:

 /v1.0/users/{userID}/drive /v1.0/users/{userID}/drive/items/{ItemID}/children /v1.0/users/{userID}/drive/items/{ItemID}/content /v1.0/users/{userID}/drive/items/{ItemID}/invite /v1.0/users/{userID}/drive/items/{ItemID}/createLink

Then I completed the documentation for Client Credentials , including providing the Admin Consent application for use in my tenant.

I successfully receive an access token. After receiving the access token, I double-checked in jwt.io that the token actually contains all areas (including Files.ReadWrite.All ).

I can use this access token to get any user drive and list any user files (the first two endpoints listed above). I also tried to get thumbnails of any user files that work fine. But as soon as I try to upload the file, add permissions to the file or create a shared link (the last three endpoints listed above), I get 401 Unauthorized error. From this, I assume that the Files.Read.All area works fine, but the Files.ReadWrite.All area Files.ReadWrite.All not work.

Regarding what I can understand from the Area Documentation>, the areas I'm trying to use should work. This is the "Application-Only Permissions Requiring Administrator Permissions" section, it describes Files.ReadWrite.All as:

Allows an application to read, create, update, and delete all files in all site collections without a signed user.

I hit the wall. Are there any restrictions for the new O2A v2.0 and / or Microsoft Graph token regarding access to applications that I am missing?

+8
azure-active-directory onedrive microsoft-graph
source share
1 answer

Closing the loop for those who stumble on this issue. There was a problem with Files.ReadWrite.All in App-Only scripts while loading or changing file permissions.

The download problem is not related. Authorization errors when downloading a file are associated with the transfer of the authorization header in the download request. "/ Content / endpoint returns a URL that can be used to download the file. This is a pre-authorized URL that exists for a short period of time. Passing the authorization header in this request fails because it does not expect to receive such a header, nor can it determine which credentials it should use (super-simplification, but that's a general idea).

0
source share

More articles:


All Articles