I have been trying to grant a single user (possibly outside of the organization) access to a folder used by a shared group in Share Point The Microsoft Graph Docs state that the response should have an Id in it.
If I use a personal oneDrive account, and make the following request:
POST v1.0
https://graph.microsoft.com/v1.0/groups/{groupId}/drive/items/{folderId}/invite
body: {
"requireSignIn": true,
"sendInvitation": true,
"roles": [ "read"],
"recipients": [
{ "email": "{myPersonalEmail}" },
],
"message": "testing giving permission to self"
}
I get the following response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(permission)",
"value": [
{
"#odata.type": "#microsoft.graph.permission",
"id": "{permissionID}",
"roles": [
"read"
],
"grantedTo": {
"user": {
"email": "{myPersonalEmail}",
"id": "{responseID}",
"displayName": "Sarah"
}
}
}
]
}
However, we setup a different SharePoint account that when I make the same request https://graph.microsoft.com/v1.0/groups/{groupId}/drive/items/{folderId}/invite
I get a completely different response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(permission)",
"value": [
{
"#odata.type": "#microsoft.graph.permission",
"roles": [
"read"
],
"invitation": {
"signInRequired": true
},
"link": {
"type": "view",
"webUrl": "{shareURL}"
}
}
]
}
This is so bizarre to me, because we are hitting the same endpoint. It makes me think that maybe there are some site configurations that are making these two responses differ.
Does anyone know why we would be getting a different results from the same endpoint?
Related
I have a SharePoint URL of the form https://organizationname.sharepoint.com/sites/....
I want to use the Graph API to get a list of all resources in this drive. Reading the API documentation it appears that I require the drive-id of this drive in order to perform this request.
/drives/{drive-id}/root/children
Also, according to the answer to a similar stackoverflow question it appears there are no APIs to convert SharePoint URL to OneDrive driveId. Is there a possible workaround? Is there any way to programmatically get a list of resources from a SharePoint URL?
If your SharePoint URL is https://organizationname.sharepoint.com/sites/yourSiteName, then you can issue a request like this via the Graph API (scope Sites.Read.All might be required):
client.api("/sites/organizationname.sharepoint.com:/sites/yourSiteName:/drives").get();
That request will return something like this:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives",
"value": [
{
"createdDateTime": "2021-07-24T23:35:00Z",
"description": "",
"id": "b!A1234567-ZYXWVUTSRQPONMLKJIHGFEDCBA9876543210",
"lastModifiedDateTime": "2021-08-12T16:39:23Z",
"name": "Dokumente",
"webUrl": "https://organizationname.sharepoint.com/sites/yourSIteName/folderName",
"driveType": "documentLibrary",
"createdBy": {
"user": {
"displayName": "abc"
}
},
"lastModifiedBy": {
"user": {
"email": "bla#organizationame.onmicrosoft.com",
"id": "12345678-4321-4321-4321-012345678901",
"displayName": "zz"
}
},
"owner": {
"group": {
"email": "x#y.onmicrosoft.com",
"id": "09876543-1234-1234-1234-012345678901",
"displayName": "Owner of something"
}
},
"quota": {
"deleted": 345678,
"remaining": 27487788453406,
"state": "normal",
"total": 27487790694400,
"used": 96120
}
}
]
}
The id under description is the drive-id. With that you can get /root/children like so:
client.api("/sites/yourorganizationname.sharepoint.com/drives/b!A1234567-ZYXWVUTSRQPONMLKJIHGFEDCBA9876543210/root/children").get();
While there is no single API or algorithm that allows you to programmatically get a list of resources from a SharePoint URL, you can achieve the same with two Graph API requests.
When setting the permission / access link in OneDrive, there is quite a few options:
But when accessing the file permission using Microsoft Graph API
https://graph.microsoft.com/v1.0/users/{user_id}/drive/items/{item_id}/permissions
I do not get the set expiration date, set password or block download:
the response looks like this:
{
"id": "permission_id",
"roles": [
"write"
],
"link": {
"scope": "anonymous",
"type": "edit",
"webUrl": "webUrl"
}
}
How can I get all the data? Should I use a different API?
Seems like beta version of Graph API supports this:
https://graph.microsoft.com/beta/users/{user_id}/drive/items/{item_id}/permissions/{permission_id}
will give the following response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#users('user_id')/drive/items('item_id')/permissions/$entity",
"expirationDateTime": "2020-04-26T21:00:00Z",
"hasPassword": true,
"id": "permission_id",
"roles": [
"read"
],
"link": {
"preventsDownload": true,
"scope": "anonymous",
"type": "view",
"webUrl": "webUrl"
}
}
I'm trying to fetch all users from a specific group via an HTTP connector, a registered app, and Microsoft Graph.
The registered app has Directory.Read.All permissions.
My idea is that I'm calling the nextLink as long as it's there while appending all of the fetched users' userPrincipalName to an array eventually filling the array with all users of the group.
My Logic App looks like this:
Unfortunately, I'm just 1 reputation short of posting images, please forgive. The 3 links should provide an overview of the structure of my app.
First, nextLink is initialized to the first Graph API endpoint. This variable is set to the current nextLink through each iteration of the until loop.
Second, For the purpose of this exercise, I only get the top 5. I know there are only 9 users:
Lastly, I call the union method on the "users" array that I initialized earlier and the "value" array from the HTTP get method, to get one single array consisting of all users:
The issue is that the HTTP action always returns the same top 5 users. I've checked that the nextLink provided in the first HTTP GET call to Graph, is correct by copying it from the Runs history and pasting it into Microsoft Graph Explorer and there the next 4 users are correctly returned.
I also made sure that, for each iteration in the until loop, I call the Graph API with the nextLink from the previous iteration as expected.
The nextLink returned inside of the Logic App is exactly the same when I test it in Graph Explorer, but the same nextLink returns 2 different results when called from Graph Explorer and inside my Logic App.
Why is the result always the same top 5 users and not the next 4 users as expected?
If not sure about the reason why you will get this issue, but based on your requirement, I did a sample below:
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "GetGroupUrl",
"type": "string",
"value": "https://graph.microsoft.com/v1.0/groups/<your group id>/members?$select=userPrincipalName&$top=5"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_variable_2": {
"inputs": {
"variables": [
{
"name": "users",
"type": "array"
}
]
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Compose": {
"inputs": "#union(variables('users'),body('HTTP')['value'])",
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "Compose"
},
"HTTP": {
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com",
"clientId": "<app id>",
"secret": "<app secret>",
"tenant": "<your secret>",
"type": "ActiveDirectoryOAuth"
},
"method": "GET",
"uri": "#variables('GetGroupUrl')"
},
"runAfter": {},
"type": "Http"
},
"Set_variable": {
"inputs": {
"name": "GetGroupUrl",
"value": "#{if(equals(body('HTTP')?['#odata.nextLink'], null),null,body('HTTP')['#odata.nextLink'])}"
},
"runAfter": {
"Compose": [
"Succeeded"
]
},
"type": "SetVariable"
}
},
"expression": "#equals(variables('GetGroupUrl'), '')",
"limit": {
"count": 60,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable_2": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"manual": {
"inputs": {
"method": "GET",
"schema": {
"properties": {
"text": {
"type": "string"
}
},
"type": "object"
}
},
"kind": "Http",
"type": "Request"
}
}
},
"parameters": {}
}
You can just replace the params with your own and paste it into your logic app code view and test it .
It works for me, as you can see , each request results are different :
Hope it helps .
This issue solved by OP self, this issue is due to queries in request URL , copy OP's comment as an answer :
After fiddling a bit more around with what each of you providing I
found a solution. It seems that when the query arguments are passed to
the HTTP GET outside of the endpoint itself (meaning in the "queries"
field inside of the block) it seems to keep overriding the nextLink.
When writing the endpoint URL out entirely with the odata parameters,
it works as intended.
When reviewing some example OneDrive Items using Graph Explorer, it appears that the user.id and the parentReference.driveId are identical. Is MSFT re-using one Id to identify both the user and drive object?
I have been testing my app against a number of OneDrive Business accounts and I do not believe I have seen this scenario. I would like to understand if this is something specific to OneDrive Personal and/or what implications it might have...
I am not sure this will cause any issues, but my understanding was that all "IDs" were generally unique.
Here's a redacted snippet of JSON returned from Graph Explorer to illustrate what I am seeing:
{
"#microsoft.graph.downloadUrl": "https://xxx.yyy",
"createdDateTime": "2018-12-04T19:02:41.173Z",
"cTag": "aYzpDQjBCMTc0REJFRUY2RTU4ITMxNzEuMjI1",
"eTag": "aQ0IwQjE3NERCRUVGNkU1OCEzMTcxLjk",
"id": "<MY_USER_ID>!3171",
"lastModifiedDateTime": "2018-12-04T19:10:36.83Z",
"name": "blah-2018.docx",
"size": 250538,
"webUrl": "https://1drv.ms/...",
"createdBy": {
"application": {
"displayName": "MSOffice15",
"id": "480728c5"
},
"device": {
"id": "188000899fbcaf"
},
"user": {
"displayName": "My Name",
"id": "<MY_USER_ID>"
}
},
"lastModifiedBy": {
"application": {
"displayName": "MSOffice15",
"id": "480728c5"
},
"device": {
"id": "188000899fbcaf"
},
"user": {
"displayName": "My Name",
"id": "<MY_USER_ID>"
}
},
"parentReference": {
"driveId": "<MY_USER_ID>",
"driveType": "personal",
"id": "<MY_USER_ID>!109",
"path": "/drive/root:"
},
"file": {
"mimeType": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"hashes": {
"sha1Hash": "F0370F54348ED81F421EB036868AEBE5253AF58A"
}
},
"fileSystemInfo": {
"createdDateTime": "2018-12-04T19:02:41.173Z",
"lastModifiedDateTime": "2018-12-04T19:02:38.633Z"
}
},
Note that MY_USER_ID is all uppercase in the prefix of the driveItem.Id. It is all lowercase as my driveId and my userId.
OneDrive Personal isn't reusing the same id, it's using the User's Id as a prefix for Drive and DriveItem ids:
{User Id}!{OneDrive ID}
Since there is a 1:1 relationship between an MSA and it's Drive, there isn't much call for a more complex mechanism. OneDrive for Business, on the other hand, is hosted in SharePoint and, as such, use's SharePoint's identifiers.
`
Using the MS Graph REST API, I can retrieve driveItems that are shared with me. The Permissions of those "remote" driveItems include one identifying me as a user. However, that Permission object has no "Roles" in it (specifically, the Roles list has zero entries).
I tried looking at the RemoteItem properties, but these do not contain any security info.
What is the correct method to determine what my user's permissions are on that specific DriveItem?
Thus far, I have tested using the C# MSGraph SDK and found all the items shared with me to have an empty Roles list.
I have also used the online Graph Explorer and determined the same to be true.
When I retrieved the actual item using Graph Explorer, note the following in this example snippet from MSFT:
{
"id": "aTowIy5mfG1lbWJlcnNoaXB8YWxleHdAbTM2NXgyMTQzNTUub25taWNyb3NvZnQuY29t",
"roles": [],
"grantedTo": {
"user": {
"email": "AlexW#M365x214355.onmicrosoft.com",
"id": "4782e723-f4f4-4af3-a76e-25e3bab0d896",
"displayName": "Alex Wilber"
}
}
},
(No roles are listed for the user?)
I would have expected, since my User was explicitly listed in one of the Permits of the actual DriveItem retrieved, that the Role would also have specified my access/actual permission.
The following endpoint:
GET /drives/{remoteItem-driveId}/items/{remoteItem-id}/permissions
returns sharing permissions on a DriveItem resource
Result
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives('b%21IZJbPb0BjUKDAjMnMOSRf44bwdRO75NGunQibG16o65AcVUi0kiOSZ9k4-NxVd6C')/items('01H24BBVK3QUEPTCR2MNB3HMLTNUZINN54')/permissions",
"value": [
{
"id": "c0594808-fbbb-4c56-9b62-bc37307a2424",
"roles": [
"write"
],
"link": {
"scope": "anonymous",
"type": "edit",
"webUrl": "https://contoso-my.sharepoint.com/:w:/g/personal/jdoe_contoso_onmicrosoft_com/EVuFCPmKOmNDs7FzbTKGt7wBxdHHpbjDMOzy3_ng2KHCAQ"
}
},
{
"id": "8a03ff0b-5196-4585-b8a9-4d95115e10c2",
"roles": [
"read"
],
"link": {
"scope": "anonymous",
"type": "view",
"webUrl": "https://contoso-my.sharepoint.com/:w:/g/personal/jdoe_contoso_onmicrosoft_com/EVuFCPmKOmNDs7FzbTKGt7wB8wPZsfAqSd-IQYE337GDjg"
}
},
{
"id": "aTowIy5mfG1lbWJlcnNoaXB8dmdyZW1AbWVkaWFkZXY4OC5vbm1pY3Jvc29mdC5jb20",
"roles": [
"owner"
],
"grantedTo": {
"user": {
"email": "jdoe#contoso.onmicrosoft.com",
"id": "1ee49b6f-4632-4806-a4dd-e065844f9cd1",
"displayName": "Jon Doe"
}
}
}
]
}
The following example demonstrates how to print Permissions resource Roles property via msgraph-sdk-dotnet:
var item = await graphClient.Drives[driveId].Items[itemId].Request().Expand("Permissions").GetAsync();
foreach (var permission in item.Permissions)
{
var roleNames = String.Join(", ", permission.Roles.ToArray());
Console.WriteLine(roleNames);
}