Graph API: how to access a shared driveItem from an external tenant

Stephan Methner 116 Reputation points
2021-02-22T18:46:50.923+00:00

Hi there,

@DanstanOnyango-6080

I'm trying to share an Excel file to another tenant user using my M365 app. The procedure that I'm describing works fine inside my own tenant.

In my example a user "stephan@برامج .loc" shares an Excel file to a user "stephan@b07.loc" (different tenant).

The sender (a99.loc) can execute the file link inside Graph Explorer without problems:
https://graph.microsoft.com/v1.0/drives/b!WWpg2iE5G0eg5c8n4pIe1AH4UNNPmuNHmXLHxQW2L9QS2KywdKQ5RKdYB_W_3fIz/items/01DG3P2BNVROUU2EZALBDIBHU37VPJHKAS

The permissions for this file should allow the access for the external user: 

{  
    „@odata.context“: „https://graph.microsoft.com/v1.0/$metadata#drives('b%21WWpg2iE5G0eg5c8n4pIe1AH4UNNPmuNHmXLHxQW2L9QS2KywdKQ5RKdYB_W_3fIz')/items('01DG3P2BNVROUU2EZALBDIBHU37VPJHKAS')/permissions“,  
    „value“: [  
        {  
            „hasPassword“: false,  
            „id“: „003baa55-4822-45ec-adcd-64e96627dab9“,  
            „roles“: [  
                „write“  
            ],  
            „link“: {  
                „preventsDownload“: false,  
                „scope“: „anonymous“,  
                „type“: „edit“,  
                „webUrl“: „https://a99loc-my.sharepoint.com/:x:/g/personal/stephan_a99_loc/EbWLqU0TIFhGgJ6b_V6TqBIBvxnrPp6V7jeBkrlj_-zoGg“  
            }  
        },  
        {  
            „id“: „aTowIy5mfG1lbWJlcnNoaXB8c3RlcGhhbl9haXJyYW5nZS5pbyNleHQjQG5ldG9yZ2Z0Njg2MzgxOC5vbm1pY3Jvc29mdC5jb20“,  
            „roles“: [  
                „write“  
            ],  
            „grantedTo“: {  
                „user“: {  
                    „email“: „stephan@b07.loc“,  
                    „id“: „c97e62cd-769b-4e19-89c0-652be3544e45“,  
                    „displayName“: „Stephan B07“  
                }  
            }  
        },  
        {  
            „id“: „aTowIy5mfG1lbWJlcnNoaXB8c3RlcGhhbkBwaXBldHJlbmQuaW8“,  
            „roles“: [  
                „owner“  
            ],  
            „grantedTo“: {  
                „user“: {  
                    „email“: „stephan@a99.loc“,  
                    „id“: „13dd3943-fca8-4a28-8202-eb95b6e7ca88“,  
                    „displayName“: „Stephan A99“  
                }  
            }  
        }  
    ]  
}

The external user (airrange.io) will get an error with the same link (i think he has no access to the driveId of the sender): 

{  
    "error": {  
        "code": "invalidRequest",  
        "message": "Invalid request",  
        "innerError": {  
            "date": "2021-02-22T18:27:26",  
            "request-id": "e61ae0fb-4738-4d46-be91-00bd86342b9e",  
            "client-request-id": "1e1299bb-5861-d576-ce47-ca91dcf4a2f9"  
        }  
    }  
}

When I create a share link based on the driveId and driveItemId it works fine internally: 

https://graph.microsoft.com/v1.0/shares/u!aHR0cHM6Ly9uZXRvcmdmdDY4NjM4MTgtbXkuc2hhcmVwb2ludC5jb20vOng6L2cvcGVyc29uYWwvc3RlcGhhbl9waXBldHJlbmRfaW8vRWJXTHFVMFRJRmhHZ0o2Yl9WNlRxQklCdnhuclBwNlY3amVCa3Jsal8tem9HZw/driveItem

But I'm getting an error for stephan@b07.loc (the external user): 

{  
    "error": {  
        "code": "unauthenticated",  
        "message": "Invalid audience Uri 'https://b07loc.sharepoint.com/'.",  
        "innerError": {  
            "code": "invalidAudienceUri",  
            "date": "2021-02-22T18:37:31",  
            "request-id": "3785763a-74c8-4fe1-8726-4cb195d65445",  
            "client-request-id": "c06d7e9f-e3ff-88a7-bca4-5d6dfc712caa"  
        }  
    }  
}

Running the WebUrl for displaying the Excel works fine for the external user.

How can I share an Excel file (using Graph API) with an external user (also using Graph API)?

Thanks in advance

Best
Stephan

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,723 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Stephan Methner 116 Reputation points
    2021-02-26T00:17:15.42+00:00

    Hi @shashishailaj-msft.html and @zemuldo,

    Thanks for your help. I appreciate it a lot.

    You are right - it is a GoDaddy account (sender and receiver).

    I'm creating the invitations using Graph API (/createLink), and it works fine inside one tenant ("sendInvitationMessage": false).

    The resulting external permissions also look good from my point of view ("grantedTo" information). The WebUrl works for the external receiver.

    Should this (how i tried it) external sharing work under normal circumstances (big license)? Using a driveId and a driveItemId - or a "/shares/"-URL? My app is a multi-tenant singlePageApp. Actually i'm only getting the tokens from the users own tenant.

    I've read in an article that the external receiver needs to get an access token for this file from the sending tenant. Is this true?

    Would it perhaps be possible that I share one test file with one of you? Do you have test emails? So you could check on your side (with a regular license) if the file link is accessible.

    I will try adding this B2B sharing API (/invitations) prior sharing the file.

    Thanks in advance

    Greetings from Munich
    Stephan