I am trying to use the graph API (v1.0) to search for files and folders within our team's sharepoint/onedrive folders but when using an app-only token I consistently get no results for any /search(...) request I try.
I have an registered and application with https://apps.dev.microsoft.com and have requested and granted consent for the permissions stated in the API Documentation;
User.ReadWrite.All, Group.Read.All, Sites.Read.All, Sites.ReadWrite.All, Group.ReadWrite.All, Sites.Manage.All, Files.ReadWrite.All, User.Read.All, Files.Read.All, Sites.FullControl.All
When I request a token from https://login.microsoftonline.com/ I can see the granted permissions in the payload.
Using this token I can successfully access the drive and retrieve information about its contents using drive/root
I have a small test folder structure that contains a few simple text files.
I can confirm that this token gives me access to my files and folders by calling drives/{driveid}/items/{folderid}/children recursively to build a complete tree structure.
However, when I try to search the drive for filenames or text phrases that I know exist I get no results at all, no matter what combination of paths or search terms I use. I've never seen a search result from an app-only token.
Examples that I've tried;
sites/root/drive/search(q='test')
drive/root/search(q='test')
drives/{driveid}/search(q='test')
drives/{driveid}/root/search(q='test')
The phrase "test" exists both as a filename and also within the text content of some of the files.
I get an HTTP:200 response but the value collection https://graph.microsoft.com/v1.0/$metadata#Collection(driveItem) is always empty.
I'm building http requests in my application (Coldfusion), not using a SDK.
I wondered if I was having encoding problems so have tried various approaches of url-encoding the search part of the url (q='test') etc.
I've also tried running the same requests with Postman and cUrl but the results are the same. Empty.
The only thing that works is when I try the same searches using the Graph Explorer I get the results I would expect to see.
I know that Explorer uses a different type of token so I'm wondering if this is and issues related to my token being app-only.
Does anyone know if .../search() actually work for app-only tokens?
Does anyone know if .../search() actually work for app-only tokens?
The answer is yes, ../search() actually work for app-only tokens
Based on my test, the following search API works well for app-only token
https://graph.microsoft.com/v1.0/drive/root/microsoft.graph.search(q='test')
https://graph.microsoft.com/v1.0/drives/{driveid}/root/microsoft.graph.search(q='test')
https://graph.microsoft.com/v1.0/drives/{driveid}/microsoft.graph.search(q='test')
https://graph.microsoft.com/v1.0/sites/root/drive/search(q='test')
For permission config, just put "Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All" into the GraphScopes in the project config file as docs states.
Above answer is based on your description:****register app in http://apps.dev.microsoft.com/. You can ignore the SDK although it is the best choice. If you don't have a project config with GraphScopes, you need to pass the scope to auth request, it is difficult for operation.
If your app-only mean register app in SharePoint online, then the Graph Search API won't work. SharePoint doesn't share AccessToken with Graph directly.
Here is the same question again. The answer has been commented by a microsoft developer. He confirmed, it was a bug.
Related
I am facing a weird issue with microsoft's graph api.
I am trying to retrieve files stored on Sharepoint. I don't know what the issue is and I have tried a lot of different things:
Call to get all drives for the site works and returns a list of all available drives:
GET https://graph.microsoft.com/v1.0/sites/site.sharepoint.com,<id>,<id>:/teams/myTeam:/drives
Via the previous endpoint I can extract the id for that drive with which I would then like to retrieve drive details (and in consequence all children of that drive):
GET https://graph.microsoft.com/v1.0/sites/site.sharepoint.com,<id>,<id>:/teams/myTeam:/drives/<driveId>
GET https://graph.microsoft.com/v1.0/sites/site.sharepoint.com,<id>,<id>:/teams/myTeam:/drives/<driveId>/root
GET https://graph.microsoft.com/v1.0/sites/site.sharepoint.com,<id>,<id>:/teams/myTeam:/drives/<driveId>/root/children
But all 3 above endpoints throw a 400 Bad Request Error with message: Url specified is invalid.
Additional information:
My access token has the following scopes: Sites.FullControl.All User.Read profile openid email
I am able to retrieve an individual drive item through the list endpoints (but the folder structure is quite complex and I need to list several layers of folders/files - this is why I believe the syntax with drive would be a lot more convenient):
GET https://graph.microsoft.com/v1.0/sites/site.sharepoint.com,<id>,<id>:/teams/myTeam:/lists/<list-id>/items/<item-id>/driveItem
via the field parentReference I am also able to fetch the driveId and even the relative path (/drives/<drive-id>/root:) but I also have no idea how I would get the content from that.
Help is greatly appreciated as I have been stuck for a long time now - thank you!
Try with the below HTTP call.
https://graph.microsoft.com/v1.0/sites/site.sharepoint.com,<id>,<id>/drives/driveid/root/children
It worked for me.
Our setup is an on-premise Exchange Server which is accessible over the graph api. https://learn.microsoft.com/en-us/graph/hybrid-rest-support
We run in the issue, that our token is only "partial" working. And a token created by "Graph-Playground" is fully working. But we can't find any difference.
When I use Graph-Playground or use the token generated by Graph-Playground => all requests are working
When I create a token (over my app registration) => only some requests are working
The token seems to be valid some calls like /me are working, but all calls related to exchange like /me/contacts are failing with this error
Request, they work with token generated by Postman:**
Error:
{ "error": { "code": "MailboxNotEnabledForRESTAPI", "message": "REST API is not yet supported for this mailbox." } }
(that's a very generic error, and mostly don't say anything about the real issue)
Token Generation:
I create my token on the same way as Graph-Playground create the token (OAuth - Implicit flow):
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=token&state=test2&client_id=????&scope=openid%20profile%20User.Read%20email%20Contacts.Read&redirect_uri=????
Token - Analysis:
As a side note, it was working for a few days, nobody changed anything :)
So I have no idea, why the "Graph Playground" can create a working token, and my token only "partially" works. Can you help me?
There is already a thread, but I'm not the owner of it. Also there are no more responses... I can't provide a bounty for a foreign thread, that's why I create a new thread. You can find it here:
MailboxNotEnabledForRESTAPI - Microsoft Graph API integration with HMA Enabled on-premise server
I recognize your error, we see it in several cases (for Office 365):
User has no Exchange license (probably not the case, since it works in the explorer).
Customer tenant has setup additional security.
You can limit applications to certain mailboxes. Maybe there is some kind of setting or policy like this on your local Exchange as well, you have to connect to Exchange Online Powershell to set it, so maybe you can find something there. This is just a wild guess.
To track down this issue I would start checking the local Exchange logs.
Have you tried using the /users/{upn}/calendar endpoint? Maybe it's just that the /me/ part doesn't work.
Microsoft introduced a special folder in OneDrive (I only see it in a personal OneDrive account, not in OneDrive for Business) called "Personal Vault". I searched the documentation of MS Graph API but could not find this mentioned.
So my question is: is there any way to access this personal vault as a third-party app?
Same problem here.
Funny thing is that:
It does not appear in the root children
It appears if you call the delta API where you can see a folder with the
specialFolder attribute not null and whose specialFolder.name is
"vault". This specialFolder, though, has the deleted facet, with the
state set to "hardDeleted". If you extract the ID from the delta API
call and try to address the folder directly with
https://graph.microsoft.com/v1.0/me/drive/items/{id}, however, you
get an access denied error
I am currently working on a solution that is accessing OneDrive in Office 365 using Microsoft Graph. I am using the adal4j library to handle authentication and have configured the app in portal.azure.com.
My question relates the call to get the children for a specified drive. I am using a query similar to the one shown below, as I want to get folders and files at the root level of a specified users drive:
https://graph.microsoft.com/v1.0/users/*user id*/drives/*drive id*/root/children
When I login to the Graph Explorer and execute the query, I get a json result showing the root folder contents for the drive and user specified. All works as expected.
When I call it from my java application, the JSON node value is empty ([]).
Initially my thought was, because the Graph Explorer uses a different app id in the portal it was possibly something to do with access rights. However, I successfully read user profiles in our O365 tenant, the drive id's for each user, and if I execute the following:
https://graph.microsoft.com/v1.0/users/*user id*/drives/*drive id*/root/search(q='')
It provides me a complete list of all of the folders, sub folders etc within the appropriate user's drive.
Therefore, making me think this is a bug with the Graph query I am attempting to use rather than an authorization issue, but, that wouldn't explain why it works in the Graph Explorer.
The same java method is used for all calls, and the url is passed in as a parameter.
Just to follow up, the azure portal app permissions has the capability of adding permissions for the graph api. This was, indeed the problem. It would appear that the search was ignoring the permission and successfully reading the data whereas the /children call was honouring the security model. This caused a lot of confusion, but is now resolved.
Thanks Marc for your help.
Previously if I request app.asana.com/api/1.0/workspaces into a browser (after I had logged into Asana) it was returning all of my workspace ID's.
But currently it is not working and shows the error :- "{"errors":[{"message":"Not Authorized"}]}".
Is there any other solutions to get my asana workspace IDs?
Thank You,
(I work at Asana.) We're sorry for the inconvenience - this was a security hole and we had to close it, as we wrote on our API updates feed. If you're writing an app for others to use, Oauth is the most appropriate and secure way to access the users' data. If you're writing a simple script, you can use your API key. This can be done through a browser, but by using JavaScript and not just making requests in the browser location bar.