Permission Denied when using Graph API service to call Sharepoint with an Azure AD Guest account

[deck05]

My app is using Azure AD as an entry point to access both Sharepoint and website.

Good Case Scenario:
I login as an AD user, the app runs as it should. I can use both Graph Api and PNP SP to retrieve data from Sharepoint.

Issue:
If an external user (i.e. gmail, yahoo accounts) is used, the Graph Api throws permission denied error. I added the account on both the Azure AD and added it to the Sharepoint users. If I login to Sharepoint manually as an external user, the site will run perfectly fine. My guess is that the token that Graph API uses does not have the correct permissions to consume Sharepoint services. Can you please help?

Category

• Question
• Documentation issue
• Bug

Thank you for your contribution to OneDrive API Docs. We will be triaging your incoming issue as soon as possible.

[chackman]

The issue that you are encountering is not clear.

Please provide more information about what type of consent is used, what permissions it has been granted to in Microsoft Graph, and how the application is getting a token from AAD. Also are the expected permissions returned in the token?

[mahpour]

We use admin consent and we have Sites.Read.All, Sites.ReadWrite.All on SharePoint node. We get the tokens using code flow for Accessing Microsoft Graph APIs.

The problem is all calls work for internal organization users and token provided for those can perform all expected operations. The token is not provided when a guest AAD user which is invited into O365 group makes a request. It simply returns null. But if the same guest logs in to SharePoint UI directly once then the token is issued on next attempt and user can interact with SharePoint Graph API through our SPA app.

[chackman]

This sounds like a potential question for AAD. Could you please help clarify if I have understood the steps properly?

1. Your AAD application has specified a set of required permissions for the Microsoft Graph resource, including Sites.Read.All and Sites.ReadWrite.All permission scopes.
2. The admin has consented on behalf of all users in their organization.
3. The admin invites a new guest user to the organization.
   Question: how is the new guest user invited to the organization? Is it via the AAD portal, as referenced by the "Invite guests" topic here?
4. Your application gets a token with delegated permissions targeting the Microsoft Graph resource.
   4a. If the user is internal to the organization, then the token has the Sites.Read.All and Sites.ReadWrite.All permission scopes.
   4b. If the user is a guest user to the organization, and has redeemed the invitation, then the token has the Sites.Read.All and Sites.ReadWrite.All permission scopes.
   4c. If the user is a new guest user to the organization, and has not redeemed the invitation, then the token is empty.

[mahpour]

It’s almost correct.

3. We use SharePoint package for Azure AD to perform the guest invitations. Then we add those users to the Office 365 group that is linked to our particular SharePoint site group.

Step 4b. Is the scenario that guest users can authenticate via SSO but cannot access the SharePoint resources within that O365 group. But if they login to SharePoint UI directly using their guest account then they are able to access the SharePoint apis via Graph.

4c. Is not an issue since users don’t have a Microsoft account to pass authentication step.

This issue has been automatically marked as stale because it has marked as requiring author feedback but has not had any activity for 10 days. It will be closed if no further activity occurs within 10 days of this comment. Thank you for your contributions to OneDrive API Docs!

[mahpour]

We have provided details on this issue and have not received any updates. @chackman has anyone looked at this ?