Trying to leverage the Microsoft Graph API within a daemon application to update a single OneDrive Excel file. How do I accomplish least privilege permissions to a single file. I have scoured the documentation for a straightforward explanation of this basic task, however no articles are instructive on how to proceed with this. The documentation appears to define least privilege as a distinction between the Office software entities, but not within folders and files of a OneDrive. Thanks in advance for guidance.
This isn't possible. The Files.{Read|ReadWrite}.All application scopes provide access to the entire Drive for every user.
From the Permissions documentation:
Files.Read.All: Allows the app to read all files in all site collections without a signed in user.
Files.ReadWrite.All: Allows the app to read all files in all site collections without a signed in user.
Related
I am writing a .NET desktop app that uses the Microsoft Graph API to access the contents of my OneDrive for Business storage. I am logging in to Graph using my Microsoft work/school account U1, in my organization O1. Another Microsoft work/school account, U2, in a different organization, O2, has shared a folder with me. The folder shows up in "Shared With You" when I browse my OneDrive interactively in a browser, and I can make changes to the folder there. It also shows up as a DriveItem in the returned list when my app uses the "sharedWithMe" API call documented here (with allowexternal set to true).
All good so far. The problem is when I try to actually retrieve the shared folder using the returned DriveItem. I am following the guidance in the doc page to use a call like
GET /drives/{remoteItem-driveId}/items/{remoteItem-id}
to retrieve the folder, and I have the "Files.ReadWrite.All" permission. I believe I am doing this correctly in my code, because it works fine on other items shared with me by users in my organization. However, with the folder shared by U2, this call fails with an "itemNotFound" error. I don't understand why this fails. Is this a problem with my code, or some configuration that needs to be done in my organization O1, or in their organization O2, or a combination? Or is what I'm trying to do just not possible across organizations?
I have found a couple other folks who have had similar problems, but the resolutions are inconclusive: see here, here, and here. These links have suggested a couple directions:
could this be a problem with some sharing setting on the part of organization O2? Unfortunately I don't have any control over this org. But if I can give them a clear request, preferably with some Microsoft docs to back it up, I think they would be receptive. For example, does organization O2 need to add/invite my account U1 as an external/guest user to their Azure AD? I don't know for sure if they've done that.
one of the comments suggested that my app would need to be a multi-tenant app for it to access resources in another tenant. I do not want my app to be multi-tenant in the sense of allowing people in other tenants to login to it, but I do want my account to be able to access resources in other tenants that have been shared with me. I tried changing the app registration for my app to multi-tenant, and that didn't make any difference.
in the multi-tenant vein, I found this Microsoft doc, which states "In the code of your multi-tenant app, get the authentication token for other tenants and store them in the auxiliary headers. The user or application must have been invited as a guest to the other tenants." In my code I am using Microsoft.Identity.Client.PublicClientApplicationBuilder to sign my account in and get an access token, using the authority for my tenant. It sounds like my access token is only valid for resources in my tenant - how do I get a token for another tenant in my code?
Thanks very much for any suggestions, be they pointers to docs, code suggestions, etc!
I need to upload files to a client's shared folder on OneDrive, however, there's no way I can get them to allow Files.WriteAll for my application (I'm using application permissions, not delegation) -- I've asked them. Is there another way to do that?
I have looked into multiple SO questions about this and on Microsoft's documentation, and I believe it is not possible, but I would like to know from people with more experience using Microsoft's service if it is indeed true.
Google Console has "service accounts" and service accounts can be given write permissions to files. These files can then modified without any sort of user intervention and works as long as the service account has the appropriate permissions.
Is there anything similar for Microsoft Graph? We have a file in a SharePoint folder that we would like continued access to even if the people with access to that folder continuously changes.
Azure AD has a notion of Service Principals that can be used for this purpose.
I am initiating an App for Office project and I am trying to find out something critical.
Can I use my ASP.NET MVC built-in OAuth authentication to pair it with a Live account so my app logs-in the user into MS Office for Desktop apps.
This is needed so I can access OneDrive and use the share file editing there.
The architecture so far is:
Files stored in a single OneDrive or SharePoint server (TBD)
Desktop Office apps (Word and Excel) where the users work.
App for Office, installed in their Word and Excel. Users can authenticate on the back-end ASP.NET MVC server, using any 3rd party email address and a password.
I have used OAuth in ASP.NET MVC projects but not in integration with Office in an App for Office.
So, my question is if this idea is possible and HOW, or I have to give everyone an Office 365 account so they can connect via the integrate Office for desktop.
As we in our small company like to benefit from the OneDrive functionality, and also want to have selected shared and group folders offline available, we found a more or less perfect workaround.
We use the Goodsync software to synchronize. For this you create a sync job within Goodsync for the folders you want to have offline- available. Such a sync definition / call it folder pair / has a reference to the local folder, and on the other side a reference to the OneDrive folder. The reference to the OneDrive folder you describe like this: „sds://d.docs.live.net//“.
The OneDrive CID you can see for any shared OneDrive folder in OneDrive web whithin its web address (example: https://OneDrive.live.com/?cid=xxxxxxxxxxxxxxxx) . Similarly it works for OneDrive group folders.
Our experience is very good with this workaround, only to be aware to have all rights for the shared One Drive folder, then Goodsync can even create or delete folders within shared OneDrives.
Good luck! Wolfgang from Salzburg
For everyone's benefit, I will explain what we have done.
We are using Azure Active Directory and manage all users there. We connected SharePoint site to it and it has a OneDrive behind. Now our App for Office connects to that using SharePointContext from here and it magically works.
Is there a way to access files, such as those created by the CCB tool, that are placed into a specific directory in the Manage Files area of a course offering? I've tried the topic API, but the new /file path only returns a value when the file is attached to a topic - not if it's just "hanging out" in the files area. Is there a more generic way to access the entire file structure there - maybe even by using WebDAV)? If so, is there a way to turn WebDAV on?
Thank you,
-George
The Valence Learning Framework API does not currently offer direct access to the Manage Files area.
I believe that clients can engage D2L to provide WebDAV access to the Manage Files store; the D2L client should contact their account manager to work through the details of setting this up for their use. This is not a feature that a third party integrator can count on all clients having available though, as it does (I believe) require a special engagement with D2L around a client's service.