OneDrive Business Shared Folders: Unable to sync shared folders, shared from outside organisation

[abraunegg]

Category

• Question
• Documentation issue
• Bug

Expected or Desired Behavior

The response of https://graph.microsoft.com/v1.0/me/drive/sharedWithMe should provide all resources shared with me, not just objects from my organisation.

Observed Behavior

Shared folders, shared with you from people outside of your 'organisation' are unable to be synced. This is due to the Microsoft Graph API not presenting these folders.

Shared folders that match this scenario, when you view 'Shared' via OneDrive online, will have a 'world' symbol as per below:

Observed API Response:

Listing available OneDrive Business Shared Folders:
[DEBUG] Request URL = https://graph.microsoft.com/v1.0/me/drive/sharedWithMe
[DEBUG] onedrive.getSharedWithMe API Response: {"@odata.context":"https:\/\/graph.microsoft.com\/v1.0\/$metadata#Collection(driveItem)","value":[{"@odata.type":"#microsoft.graph.driveItem","createdBy":{"user":{"displayName":"test user"}},"createdDateTime":"2020-06-17T20:38:11Z","fileSystemInfo":{"createdDateTime":"2020-06-17T20:38:11Z","lastModifiedDateTime":"2020-06-22T01:50:20Z"},"folder":{"childCount":4},"id":"01JRXHEZMREEB3EJVHNVHKNN454Q7DFXPR","lastModifiedBy":{"user":{"displayName":"test user","email":"testuser@mynasau3.onmicrosoft.com"}},"lastModifiedDateTime":"2020-06-22T01:50:20Z","name":"Child Shared Folder","remoteItem":{"createdBy":{"user":{"displayName":"test user"}},"createdDateTime":"2020-06-17T20:38:11Z","fileSystemInfo":{"createdDateTime":"2020-06-17T20:38:11Z","lastModifiedDateTime":"2020-06-22T01:50:20Z"},"folder":{"childCount":4},"id":"01JRXHEZMREEB3EJVHNVHKNN454Q7DFXPR","lastModifiedBy":{"user":{"displayName":"test user","email":"testuser@mynasau3.onmicrosoft.com"}},"lastModifiedDateTime":"2020-06-22T01:50:20Z","name":"Child Shared Folder","parentReference":{"driveId":"b!rAVn2to7zUWZfbrVIUU3zSFB59F6TnZLjNUAn9SlWRDj709L0heSSoWi6mMSxrOO","driveType":"business","id":"01JRXHEZN6Y2GOVW7725BZO354PWSELRRZ"},"shared":{"scope":"users","sharedBy":{"user":{"displayName":"test user"}},"sharedDateTime":"2020-06-17T20:40:03Z"},"sharepointIds":{"listId":"4b4fefe3-17d2-4a92-85a2-ea6312c6b38e","listItemId":"5","listItemUniqueId":"b2032191-a726-4e6d-a6b7-9de43e32ddf1","siteId":"da6705ac-3bda-45cd-997d-bad5214537cd","siteUrl":"https:\/\/mynasau3-my.sharepoint.com\/personal\/testuser_mynasau3_onmicrosoft_com","tenantId":"1d5330af-a875-45cf-9e56-434333157def","webId":"d1e74121-4e7a-4b76-8cd5-009fd4a55910"},"size":0,"webDavUrl":"https:\/\/mynasau3-my.sharepoint.com\/personal\/testuser_mynasau3_onmicrosoft_com\/Documents\/Level%201\/Level%202\/Level%203\/Child%20Shared%20Folder","webUrl":"https:\/\/mynasau3-my.sharepoint.com\/personal\/testuser_mynasau3_onmicrosoft_com\/Documents\/Level%201\/Level%202\/Level%203\/Child%20Shared%20Folder"},"size":0,"webUrl":"https:\/\/mynasau3-my.sharepoint.com\/personal\/testuser_mynasau3_onmicrosoft_com\/Documents\/Level%201\/Level%202\/Level%203\/Child%20Shared%20Folder"},{"@odata.type":"#microsoft.graph.driveItem","createdBy":{"user":{"displayName":"test user","email":"testuser@mynasau3.onmicrosoft.com"}},"createdDateTime":"2020-06-17T20:37:24Z","fileSystemInfo":{"createdDateTime":"2020-06-17T20:37:24Z","lastModifiedDateTime":"2020-06-21T20:05:53Z"},"folder":{"childCount":4},"id":"01JRXHEZLRMXHKBYZNOBF3TQOPBXS3VZMA","lastModifiedBy":{"user":{"displayName":"test user","email":"testuser@mynasau3.onmicrosoft.com"}},"lastModifiedDateTime":"2020-06-21T20:05:53Z","name":"Top Level to Share","remoteItem":{"createdBy":{"user":{"displayName":"test user","email":"testuser@mynasau3.onmicrosoft.com"}},"createdDateTime":"2020-06-17T20:37:24Z","fileSystemInfo":{"createdDateTime":"2020-06-17T20:37:24Z","lastModifiedDateTime":"2020-06-21T20:05:53Z"},"folder":{"childCount":4},"id":"01JRXHEZLRMXHKBYZNOBF3TQOPBXS3VZMA","lastModifiedBy":{"user":{"displayName":"test user","email":"testuser@mynasau3.onmicrosoft.com"}},"lastModifiedDateTime":"2020-06-21T20:05:53Z","name":"Top Level to Share","parentReference":{"driveId":"b!rAVn2to7zUWZfbrVIUU3zSFB59F6TnZLjNUAn9SlWRDj709L0heSSoWi6mMSxrOO","driveType":"business","id":"01JRXHEZN6Y2GOVW7725BZO354PWSELRRZ"},"shared":{"scope":"users","sharedBy":{"user":{"displayName":"test user","email":"testuser@mynasau3.onmicrosoft.com"}},"sharedDateTime":"2020-06-19T02:55:32Z"},"sharepointIds":{"listId":"4b4fefe3-17d2-4a92-85a2-ea6312c6b38e","listItemId":"1","listItemUniqueId":"a0ce6571-2de3-4b70-b9c1-cf0de5bae580","siteId":"da6705ac-3bda-45cd-997d-bad5214537cd","siteUrl":"https:\/\/mynasau3-my.sharepoint.com\/personal\/testuser_mynasau3_onmicrosoft_com","tenantId":"1d5330af-a875-45cf-9e56-434333157def","webId":"d1e74121-4e7a-4b76-8cd5-009fd4a55910"},"size":0,"webDavUrl":"https:\/\/mynasau3-my.sharepoint.com\/personal\/testuser_mynasau3_onmicrosoft_com\/Documents\/Top%20Level%20to%20Share","webUrl":"https:\/\/mynasau3-my.sharepoint.com\/personal\/testuser_mynasau3_onmicrosoft_com\/Documents\/Top%20Level%20to%20Share"},"size":0,"webUrl":"https:\/\/mynasau3-my.sharepoint.com\/personal\/testuser_mynasau3_onmicrosoft_com\/Documents\/Top%20Level%20to%20Share"}]}

Steps to Reproduce

1. Have a folder shared with you from outside your organisation
2. Verify that this folder is visible via OneDrive web interface
3. Call https://graph.microsoft.com/v1.0/me/drive/sharedWithMe and the external shared resource is not available.

[ghost]

Thank you for your contribution to OneDrive API Docs. We will be triaging your incoming issue as soon as possible.

[abraunegg]

Associated issue here: https://github.com/microsoftgraph/microsoft-graph-docs-contrib/issues/7858

[chackman]

Thanks for your feedback.
A couple of points:

1. To include external shared folders add a query parameter/value allowexternal=true
   This isn't documented. We'll tag this as a documentation issue; you are welcome to create a PR to add this information consistent with our other places where we document query parameters.
2. To access the external shared folders you need a token scoped to the other tenant that "owns" the external folder. Specifying the target tenant is explained in AAD docs somewhere, but another contributor provided a quick synopsis on how to do this: OneDrive : Accessing external shared folder through Graph API  #1296

[abraunegg]

@chackman
Thanks for the pointers. I can confirm that allowexternal=true presents the data, will have to work on point 2 to ensure that they can be synced correctly.

[abraunegg]

@chackman
In following the details in #1296 (comment) I am able to get a new access token for the tenant, however when using that new access token, I still get a 403 (Access denied) response.

To get the default tenant (my tenant to compare), I had to utilise /v1.0/organization which would also generate a 403 (Access denied) response until I added the scope User.Read - once that was added, /v1.0/organization was successful.

I was wondering, to fully query an external tenant + using external auth token in the manner above, with the following query:

https://graph.microsoft.com/v1.0/drives/{driveId}/items/{itemId}?select=id,name,eTag,cTag,deleted,file,folder,root,fileSystemInfo,remoteItem,parentReference,size

Is there any additional auth scopes required which I may be missing?

Current auth scopes in use are:

• User.Read
• Files.ReadWrite
• Files.ReadWrite.all
• Sites.Read.All
• Sites.ReadWrite.All
• offline_access

That same query, for OneDrive Business Shared Folders inside an organisation (same tenant) generates zero issue - query / response is successful.

[abraunegg]

@chackman . @ificator
Following the details here (#1296 (comment)) these are the responses I get:

1. Authenticate User A in Tenant A using https://login.microsoftonline.com/common/oauth2/v2.0/token

{
	"access_token": "eyJ0eXAiOiJK...0K5A",
	"expires_in": 3599,
	"ext_expires_in": 3599,
	"refresh_token": "OAQABAAAAAAA...PIAA",
	"scope": "Files.ReadWrite Files.ReadWrite.All Sites.Read.All Sites.ReadWrite.All User.Read profile openid email",
	"token_type": "Bearer"
}

2. User B in Tenant B, shares folder with User A in Tenant A
3. User A to obtain access token from Tenant B using https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token using the 'refresh_token' obtained in Step 1:

{
	"access_token": "eyJ0eXAiOiJK...KM1HtA",
	"expires_in": 3597,
	"ext_expires_in": 3597,
	"refresh_token": "OAQABAAAAAAA...yi-SAA",
	"scope": "profile openid email",
	"token_type": "Bearer"
}

So the 'scopes' are being dropped, thus, this is why I am getting the 403 'Access Denied' when I try and use the 'access_token' provided by Tenant B for User A, using passed in 'refresh_token'

Are these steps 'correct' as per #1296 ... or is something missing here?

[abraunegg]

@chackman . @ificator
Any comment or suggestion here as to why, when using the process, the 'scopes' are being removed?

[chackman]

Please ask your question about auth scopes to the AAD team:

If you have a question about Azure Active Directory, outside of issues with the documentation provided in the OneDrive Developer Center, please ask it here: https://stackoverflow.com/questions/tagged/azure-active-directory

[ghost]

This issue has been automatically marked as stale because it has marked as answered but has not had any activity for 10 days. It will be closed if no further activity occurs within 10 days of this comment. Thank you for your contributions to OneDrive API Docs!