OneDrive permissions - get full data using Microsoft Graph API - microsoft-graph-api

When setting the permission / access link in OneDrive, there is quite a few options:
But when accessing the file permission using Microsoft Graph API
https://graph.microsoft.com/v1.0/users/{user_id}/drive/items/{item_id}/permissions
I do not get the set expiration date, set password or block download:
the response looks like this:
{
"id": "permission_id",
"roles": [
"write"
],
"link": {
"scope": "anonymous",
"type": "edit",
"webUrl": "webUrl"
}
}
How can I get all the data? Should I use a different API?

Seems like beta version of Graph API supports this:
https://graph.microsoft.com/beta/users/{user_id}/drive/items/{item_id}/permissions/{permission_id}
will give the following response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#users('user_id')/drive/items('item_id')/permissions/$entity",
"expirationDateTime": "2020-04-26T21:00:00Z",
"hasPassword": true,
"id": "permission_id",
"roles": [
"read"
],
"link": {
"preventsDownload": true,
"scope": "anonymous",
"type": "view",
"webUrl": "webUrl"
}
}

Related

How to get permissions list by APi

I'm trying to get all Graph API permissions list by an API call or by downloading either XML or JSON file.
I tried to check call made from Azure portal when list is loaded but nothing.
Does someone know how we can get this info from Microsoft?
Api permissions can be listed by using following query in microsoft graph api.Microsoft graph explorer
Directory.Read.All permission is required to be granted admin consent authenticate a Microsoft Graph API client to access the /v1.0/oauth2PermissionGrants endpoint.
Then make a GET request to
https://graph.microsoft.com/v1.0/oauth2PermissionGrants
Result: Represents delegated permissions which have been granted for client applications to access APIs on behalf of signed-in users.
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#oauth2PermissionGrants",
"#odata.nextLink": "https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$skiptoken=xxxx",
"value": [
{
"clientId": "xxx",
"consentType": "Principal",
"id": "YBLh22Q2xxxxxxZPqphjW",
"principalId": "xxxx",
"resourceId": "xxxxxx",
"scope": "UserProfile.Read "
},
{
"clientId": "xxxx",
"consentType": "Principal",
"id": "xxxx",
"principalId": "xxxx6efe7a",
"resourceId": "xxxxx",
"scope": "UserProfile.Read "
},
{
"clientId": "xxxx",
"consentType": "Principal",
"id": "YBLh2xxxxxmX",
"principalId": "xxxxxxx",
"resourceId": "xxxx",
"scope": "UserProfile.Read "
},
{
"clientId": "xxxxx",
"consentType": "Principal",
"id": "YBLh22Q2xxxxxxN2iXWD",
"principalId": "xxxxx",
"resourceId": "xxxx",
"scope": "UserProfile.Read"
},
{
"clientId": "xxxxx",
"consentType": "Principal",
"id": "YBLh22Q2xExxxxbjbxXaqHKDW",
"principalId": "xxxx",
"resourceId": "xxxxx",
"scope": "UserProfile.Read"
},
{
"clientId": "xxxxxxx",
"consentType": "Principal",
"id": "xxxxxxxx",
"principalId": "xxx",
"resourceId": "bbf1c2f4xxxxxxxx",
"scope": "user_impersonation "
},
{
"clientId": "xxxx-60ae65bca24f",
"consentType": "Principal",
"id": "xxxx_AXxTLAO2AAHbv56",
"principalId": "941ea60dxxxxxx-d800076efe7a",
"resourceId": "bbf1c2f4xxxxx",
"scope": "user_impersonation "
},
{
"clientId": "xxxx9-60ae65bca24f",
"consentType": "Principal",
"id": "xxx",
"principalId": "xxx",
"resourceId": "bbf1c2f4-xxxxx",
"scope": "user_impersonation"
},
{
"clientId": "dbe11260-3664-40c4-ae39-60ae65bca24f",
"consentType": "Principal",
"id": "xxxx",
"principalId": "d1de0f56-d471-4580-b8db-c576aa1ca0d6",
"resourceId": "bbf1c2f4-52df-4d28-8dea-e8de231ed902",
"scope": "user_impersonation"
}
Reference: List oAuth2PermissionGrants (delegated permission grants) - Microsoft Graph v1.0 | Microsoft Learn
thanks for answers but it's not exactly what i was seeking about.
In fact, i want to get list we can find here Graph api permissions
but throught an automatic way (Api, Json or Xml file and not by parsing an Html page :). Idealy with extra info if existing to let my users filter them easily
AFAIK there is no list by an api call or by downloading XML or JSon file available right now, if you want this API , you can raise a feature request here.
Check the documentation of all permissions and ids. You can easily copy and paste the table.
Other option is to use /servicePrincipals endpoint and filter Microsoft Graph app. It will return list of application and delegated permissions including description and other details.
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId+eq+'00000003-0000-0000-c000-000000000000'&$select=appRoles,oauth2PermissionScopes
Result
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals(appRoles,oauth2PermissionScopes)",
"value": [
{
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Allows the app to read all available Teams Templates, without a signed-user.",
"displayName": "Read all available Teams Templates",
"id": "6323133e-1f6e-46d4-9372-ac33a0870636",
"isEnabled": true,
"origin": "Application",
"value": "TeamTemplates.Read.All"
},
...
],
"oauth2PermissionScopes": [
{
"adminConsentDescription": "Allows the app to read the available Teams templates, on behalf of the signed-in user.",
"adminConsentDisplayName": "Read available Teams templates",
"id": "cd87405c-5792-4f15-92f7-debc0db6d1d6",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Read available Teams templates, on your behalf.",
"userConsentDisplayName": "Read available Teams templates",
"value": "TeamTemplates.Read"
},
...
]
}
]
}
appRoles property represents application permissions
oauth2PermissionScopes property represents delegated permissions
The endpoint requires Application.Read.All, Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions
I've compared data returned by the query above with the list in the documentation and it matches.

Enumerate DriveItem resources of a specific Drive given SharePoint URL and using Graph API

I have a SharePoint URL of the form https://organizationname.sharepoint.com/sites/....
I want to use the Graph API to get a list of all resources in this drive. Reading the API documentation it appears that I require the drive-id of this drive in order to perform this request.
/drives/{drive-id}/root/children
Also, according to the answer to a similar stackoverflow question it appears there are no APIs to convert SharePoint URL to OneDrive driveId. Is there a possible workaround? Is there any way to programmatically get a list of resources from a SharePoint URL?
If your SharePoint URL is https://organizationname.sharepoint.com/sites/yourSiteName, then you can issue a request like this via the Graph API (scope Sites.Read.All might be required):
client.api("/sites/organizationname.sharepoint.com:/sites/yourSiteName:/drives").get();
That request will return something like this:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives",
"value": [
{
"createdDateTime": "2021-07-24T23:35:00Z",
"description": "",
"id": "b!A1234567-ZYXWVUTSRQPONMLKJIHGFEDCBA9876543210",
"lastModifiedDateTime": "2021-08-12T16:39:23Z",
"name": "Dokumente",
"webUrl": "https://organizationname.sharepoint.com/sites/yourSIteName/folderName",
"driveType": "documentLibrary",
"createdBy": {
"user": {
"displayName": "abc"
}
},
"lastModifiedBy": {
"user": {
"email": "bla#organizationame.onmicrosoft.com",
"id": "12345678-4321-4321-4321-012345678901",
"displayName": "zz"
}
},
"owner": {
"group": {
"email": "x#y.onmicrosoft.com",
"id": "09876543-1234-1234-1234-012345678901",
"displayName": "Owner of something"
}
},
"quota": {
"deleted": 345678,
"remaining": 27487788453406,
"state": "normal",
"total": 27487790694400,
"used": 96120
}
}
]
}
The id under description is the drive-id. With that you can get /root/children like so:
client.api("/sites/yourorganizationname.sharepoint.com/drives/b!A1234567-ZYXWVUTSRQPONMLKJIHGFEDCBA9876543210/root/children").get();
While there is no single API or algorithm that allows you to programmatically get a list of resources from a SharePoint URL, you can achieve the same with two Graph API requests.

Microsoft Graph API - Odata Filter

I am using Microsoft Graph API to select a list of drives (used the following end point https://graph.microsoft.com/v1.0/drives)
This returns the following response
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives",
"value": [
{
"createdDateTime": "2020-08-04T02:41:25Z",
"description": "",
"id": "b!cMaCrLYg0Eebp_dXxJrwY",
"lastModifiedDateTime": "2020-08-05T11:45:01Z",
"name": "DocLibrary1"
},
{
"createdDateTime": "2020-08-04T02:41:25Z",
"description": "",
"id": "b!cMaCu321321jJDASJA",
"lastModifiedDateTime": "2020-08-05T11:45:01Z",
"name": "DocLibrary2"
} ]}
Now how can I change the URL request to only fetch attibutes where name = 'DocLibrary1'?
This seems to be a limitation. I have added this as a request for Microsoft Graph API (as it works with eh other endpoints of the Graph API)
https://microsoftgraph.uservoice.com/forums/920506-microsoft-graph-feature-requests/suggestions/41172841-microsoft-graph-api-odata-support-to-fetch-dri
Please go and vote!

how do you get the permissions of a remote driveItem?

Using the MS Graph REST API, I can retrieve driveItems that are shared with me. The Permissions of those "remote" driveItems include one identifying me as a user. However, that Permission object has no "Roles" in it (specifically, the Roles list has zero entries).
I tried looking at the RemoteItem properties, but these do not contain any security info.
What is the correct method to determine what my user's permissions are on that specific DriveItem?
Thus far, I have tested using the C# MSGraph SDK and found all the items shared with me to have an empty Roles list.
I have also used the online Graph Explorer and determined the same to be true.
When I retrieved the actual item using Graph Explorer, note the following in this example snippet from MSFT:
{
"id": "aTowIy5mfG1lbWJlcnNoaXB8YWxleHdAbTM2NXgyMTQzNTUub25taWNyb3NvZnQuY29t",
"roles": [],
"grantedTo": {
"user": {
"email": "AlexW#M365x214355.onmicrosoft.com",
"id": "4782e723-f4f4-4af3-a76e-25e3bab0d896",
"displayName": "Alex Wilber"
}
}
},
(No roles are listed for the user?)
I would have expected, since my User was explicitly listed in one of the Permits of the actual DriveItem retrieved, that the Role would also have specified my access/actual permission.
The following endpoint:
GET /drives/{remoteItem-driveId}/items/{remoteItem-id}/permissions
returns sharing permissions on a DriveItem resource
Result
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives('b%21IZJbPb0BjUKDAjMnMOSRf44bwdRO75NGunQibG16o65AcVUi0kiOSZ9k4-NxVd6C')/items('01H24BBVK3QUEPTCR2MNB3HMLTNUZINN54')/permissions",
"value": [
{
"id": "c0594808-fbbb-4c56-9b62-bc37307a2424",
"roles": [
"write"
],
"link": {
"scope": "anonymous",
"type": "edit",
"webUrl": "https://contoso-my.sharepoint.com/:w:/g/personal/jdoe_contoso_onmicrosoft_com/EVuFCPmKOmNDs7FzbTKGt7wBxdHHpbjDMOzy3_ng2KHCAQ"
}
},
{
"id": "8a03ff0b-5196-4585-b8a9-4d95115e10c2",
"roles": [
"read"
],
"link": {
"scope": "anonymous",
"type": "view",
"webUrl": "https://contoso-my.sharepoint.com/:w:/g/personal/jdoe_contoso_onmicrosoft_com/EVuFCPmKOmNDs7FzbTKGt7wB8wPZsfAqSd-IQYE337GDjg"
}
},
{
"id": "aTowIy5mfG1lbWJlcnNoaXB8dmdyZW1AbWVkaWFkZXY4OC5vbm1pY3Jvc29mdC5jb20",
"roles": [
"owner"
],
"grantedTo": {
"user": {
"email": "jdoe#contoso.onmicrosoft.com",
"id": "1ee49b6f-4632-4806-a4dd-e065844f9cd1",
"displayName": "Jon Doe"
}
}
}
]
}
The following example demonstrates how to print Permissions resource Roles property via msgraph-sdk-dotnet:
var item = await graphClient.Drives[driveId].Items[itemId].Request().Expand("Permissions").GetAsync();
foreach (var permission in item.Permissions)
{
var roleNames = String.Join(", ", permission.Roles.ToArray());
Console.WriteLine(roleNames);
}

Microsoft Graph API group folder invite response is wrong

I have been trying to grant a single user (possibly outside of the organization) access to a folder used by a shared group in Share Point The Microsoft Graph Docs state that the response should have an Id in it.
If I use a personal oneDrive account, and make the following request:
POST v1.0
https://graph.microsoft.com/v1.0/groups/{groupId}/drive/items/{folderId}/invite
body: {
"requireSignIn": true,
"sendInvitation": true,
"roles": [ "read"],
"recipients": [
{ "email": "{myPersonalEmail}" },
],
"message": "testing giving permission to self"
}
I get the following response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(permission)",
"value": [
{
"#odata.type": "#microsoft.graph.permission",
"id": "{permissionID}",
"roles": [
"read"
],
"grantedTo": {
"user": {
"email": "{myPersonalEmail}",
"id": "{responseID}",
"displayName": "Sarah"
}
}
}
]
}
However, we setup a different SharePoint account that when I make the same request https://graph.microsoft.com/v1.0/groups/{groupId}/drive/items/{folderId}/invite
I get a completely different response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(permission)",
"value": [
{
"#odata.type": "#microsoft.graph.permission",
"roles": [
"read"
],
"invitation": {
"signInRequired": true
},
"link": {
"type": "view",
"webUrl": "{shareURL}"
}
}
]
}
This is so bizarre to me, because we are hitting the same endpoint. It makes me think that maybe there are some site configurations that are making these two responses differ.
Does anyone know why we would be getting a different results from the same endpoint?

Resources