tBStar avatar image
0 Votes"
tBStar asked Deva-MSFT action

AD External user can't get access to personal One-Drive through .NET Core Web API using MS Graph API

This has been troubling me for some time now most likely due to my lack of understanding of how things work. Although, I managed to secure both a Client React and a .NET Web API, I am still struggling with listing files of authenticated users from their personal One Drive account. So really the question is, can a member of a private organization/tenant have access to his/her One Drive from the applications secured by the same organization he/she belongs to without having an O365 personal license?
Back Story:

  • I created a new tenant called Valhalla

  • This tenant is lined to an O365 license

  • I registered 2 apps, 1 Client React and 1 Web API

  • I configured an access scope and added MS Graph proper scopes to the API. Most notably, Files.*

  • I created 2 applications, 1 React Client and 1 .NET Core Web API

  • React Client authenticates the client and uses the access token to communicate with the .NET Core Web API

  • The .NET Core Web API in turn, requests another token of behalf of flow to MS Graph

  • Both applications are secured with the tenant and app registration information.

  • Valkyrie is a new user invited and becomes a full member of the clan

  • Valkyrie has no O365 license

  • Valkyrie has only a personal One Drive

  • Valkyrie wishes to see a listing of files from her personal One Drive account on the React Client

  • Valkyrie gets the humiliating treatment of the notAllowed" followed by "You do not have access to create this personal site or you do not have a valid license"

  • Valkyrie doesn't understand since the consent has been given by the admin

Implementation: The Postman way

Step 1: Authorization Code Flow

Step 2: Request Access/Refresh Tokens
redirect_uri: http://localhost:3000/signin-oidc
client_id: {My_React_Client_Id}
grant_type: authorization_code
code: {My_Code_From_Above}
code_verifier: {My_Code_Verifier}

Step 3: User Access Application Data

Step 4: On-Behalf-Of flow
Here the Web API requests a new token to call MS Graph to list Personal One Drive files

client_id: {My_WebAPI_Client_Id}
grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
assertion: {Access_Token_From_Above}
requested_token_use: on_behalf_of

At this point I get an access with the following scopes:
"scope": "profile openid email",

Step 5: Access MS Graph Resources
Authorization: Bearer + Token from above

{ "error": { "code": "notAllowed", "message": "You do not have access to create this personal site or you do not have a valid license", "innerError": { "date": "2021-04-10T15:59:38", "request-id": "5d9c489d-6737-413f-88b9-c19ff93edf9d", "client-request-id": "5d9c489d-6737-413f-88b9-c19ff93edf9d" } } }

Please help

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

  • Check whether you have the necessary permissions/scopes in the token? You can validate the same using as well

  • Can you access the same onedrive using Microsoft Graph Explorer or not?

0 Votes 0 ·

I checked the scopes from when I do OBO request, it lists all of the scopes I needed

"scope": "profile openid email"

Can you access the same onedrive using Microsoft Graph Explorer or not?
I haven't tried but I am thinking about our external users that will be logging in, they don't need to be aware of MS Graph, they just need to access their own personal One Drive files.

0 Votes 0 ·

0 Answers