question

better-solutions-dot-com avatar image
0 Votes"
better-solutions-dot-com asked saldana-msft edited

Can guests use MS Graph to pull documents from our SharePoint site ?

Hi,

We have watched the video and followed all the steps outlined here:
https://docs.microsoft.com/en-us/microsoft-365/solutions/collaborate-in-site?view=o365-worldwide

External Collaboration Settings in External Identities
SharePoint organization-level sharing settings
Created an Extranet Site
SharePoint site-level sharing settings
Added members to the Microsoft 365 Group

We have created a Single Page App that is registered under Azure App Registrations.
This App is using OAuth 2.0 Authorization Code Flow with PKCE.

Everything is working for Internal Users

Is it possible for External Users to pull documents from our SharePoint site using our App with MS Graph ?
The guest is currently signing in as themselves.

 https://graph.microsoft.com/v1.0/sites/TENANT.sharepoint.com, 
 f87eaf53-fhgh-4123-ggkk-d60hg86f767e, 
 244g4gyj-7a2c-4fcf-8242-4t4ttey8261b 
 /drive/root:/Document1.docx

163900-app-reg-apis.png


Any help or suggestions would be really appreciated
thanks James


microsoft-graph-sites-listsazure-ad-b2b
app-reg-apis.png (165.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CarlZhao-MSFT avatar image CarlZhao-MSFT ·

Hi @better-solutions-dot-com

Of course, external users can also use your app with MS Graph to pull documents from your SharePoint site, before that make sure you have added external users as guests to your tenant for collaboration.

0 Votes 0 ·

1 Answer

CarlZhao-MSFT avatar image
0 Votes"
CarlZhao-MSFT answered WendyLi-MSFT edited

Hi @better-solutions-dot-com

Of course, external users can also use your app with MS Graph to pull documents from your SharePoint site, before that make sure you have added external users as guests to your tenant for collaboration. Also, be sure to use the /tenant id endpoint instead of the /common endpoint when you get the token to ensure your external users are logged in as guests of the tenant.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 11
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

better-solutions-dot-com avatar image better-solutions-dot-com ·

Hi @CarlZhao-MSFT

Thank you for the reply.

use the /tenant id endpoint instead of the /common endpoint when you get the token to ensure your external users are logged in as guests of the tenant.

I am not sure what the difference is between these these 2 endpoints.
I am assuming that we are using the /common endpoint

Let me do some reading up / searching online on this

many thanks

0 Votes 0 ·
CarlZhao-MSFT avatar image CarlZhao-MSFT better-solutions-dot-com ·

Hi @better-solutions-dot-com The /common endpoint defaults to making your external account log in as a personal account, and the /tenant id endpoint defaults to making your external account log in as an organizational work account. See this link.

0 Votes 0 ·
better-solutions-dot-com avatar image better-solutions-dot-com CarlZhao-MSFT ·

Thank you for the explanation.

Changing the URL endpoint from /common to /tenant-id has definitely helped.


If the external user uses the app they are getting:

{"error":{"code":"accessDenied",
"message":"There has been an error authenticating the request.",
"innerError":{"date":"2022-01-12T20:25:34","request-id":"ece2a08c-5622-4e96-92b1-05a2f1a50ed3","client-request-id":"ece2a08c-5622-4e96-92b1-05a2f1a50ed3"}}}

If the external user logs into SharePoint directly, they are able to access the file.

If the external user goes back and tries the App again, then the call is successful and there is no "access denied" error message.


Could it be something to do with the admin of the external user account having to consent on behalf of that user in that organization ?

Could you confirm that this known bug was resolved please ?

https://github.com/OneDrive/onedrive-api-docs/issues/1039

0 Votes 0 ·
Show more comments