How to authorize service to use Microsoft Graph user account without user interaction?

Question

I want my server application to interact with it's own Excel files using Microsoft Graph. That is, the files belong to the application, not a particular user of the application.

I have registered an application with Azure ID and granted "Have full access to all files user can access" permission for Microsoft Graph.

I am trying to use OAuth Resource Owner Password Credentials Grant.

I can get an authorization token like this:

POST https://login.microsoftonline.com/common/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=password
&resource=https://graph.microsoft.com
&client_id=<ID of application registered with Azure AD>
&username=<Microsoft username>
&password=<password>&scope=Files.ReadWrite.All

But the response only indicates scope User.Read:

{
  "token_type": "Bearer",
  "scope": "User.Read",
  "expires_in": "3600",
  "ext_expires_in": "0",
  "expires_on": "1494467388",
  "not_before": "1494463488",
  "resource": "https://graph.microsoft.com",
  "access_token": "eyJ0e...",
  "refresh_token": "AQAB..."
}

And when I try to list files in the account's One Drive, I do not get an error, but the response contains no items:

Request:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
Authorization: bearer eyJ0e...

Response:
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('<account ID>')/drive/root/children",
  "value": []
}

When I make the same request in Graph Explorer when logged in with same account the response includes all the items in that account's one drive root.

I understand that Microsoft Graph does not currently support application-only file access, when authorized via OAuth Client Credentials Grant (as per instructions for calling Microsoft Graph in a service), but since I am getting authorization for a particular user account (not just application) I would expect to get access to that users files.

Am I doing something wrong, or is file access not supported using Resource Owner Password Credentials Grant either?

If the latter, how can I achieve allowing my application to use user credentials to manipulate Excel files via Microsoft Graph without user interaction?

UPDATE:

I have had administrator permissions assigned to the account I am using, and re-set the application permissions for Microsoft Graph in the Azure Portal, but it still is not working for me.

Here are details of the account I am using:

It is not clear where the file itself is stored. In other words, where do you want to store the Excel files? If it is under admin's own OneDrive, then you can just cache the refresh token on server side and use regular file read/write permission. — Sudhi Ramamurthy, May 11 '17 at 22:28
One more thought - SharePoint team site maybe another option to store Excel files outside of an individual user's drive. — Sudhi Ramamurthy, May 11 '17 at 22:41
@SudhiRamamurthy I am storing the files in the OneDrive root for the user account I am logging in with. I believe I have to use a user's account because when authorizing app-only you cannot get file permissions. Thanks for the suggestion for using SharePoint team site. I will look into that. — Ergwun, May 12 '17 at 01:34

Nan Yu · Accepted Answer · 2017-05-18T03:18:15.100

2

Please try to click Grant Permissions(better using admin account) in "Required permissions" blade after granted "Have full access to all files user can access" permission for Microsoft Graph:

After that acquire token using Resource Owner Password flow , you will find Files.ReadWrite.All in scp claims . Then you could call microsoft graph api to list files .

Update

Here is the steps how i make the resource owner flow work :

register a native app , Add the "Have full access to all files user can access" delegate permission for Microsoft Graph(don't click grant permissions button as above picture shown) . using Resource Owner Password Credentials Grant and get the access token ,only find User.Read in scp claim :

POST https://login.microsoftonline.com/common/oauth2/token Content-Type: application/x-www-form-urlencoded grant_type=password&client_id=XXXXXXXXXX&resource=https://graph.microsoft.com/&username=XXXXXX&password=XXXXXXX
click grant permissions button as above picture shown , using Resource Owner Password Credentials Grant and get the access token ,you could find Files.ReadWrite.All User.Read in scp claim :

edited May 18 '17 at 03:18

answered May 11 '17 at 06:09

Nan Yu

26,101
9
68
148

I had already granted "Have full access to all files user can access", and can see it has a checked checkbox when I go into the permissions in the app registration in Azure portal. I don't know if I have an admin account though. If I can grant that permission, does that mean I have admin rights? – Ergwun May 11 '17 at 12:39
you can consent the permissions on behalf of you . admin could consent to an application's delegated permissions on behalf of all the users in the tenant . I reproduced your issue , after grant permission ,the resource owner flow works . Please try it and let me know whether it works. – Nan Yu May 12 '17 at 01:55
I have had admin permissions assigned to my account, and have re-granted the Microsoft Graph permissions for my registered application in Azure Portal, but it is still not working. See my question update for the details of the account I am using. The behaviour is still exactly as described in my original question. – Ergwun May 17 '17 at 12:34
It's working for me now! I think I hadn't grasped the difference between assigning and saving the permissions in the "Enable Access" panel, and actually clicking the "Grant Permissions" button, despite your explicit instructions (and red outline) which were very clear in retrospect. Thanks very much for your help! – Ergwun May 18 '17 at 04:44

score 0 · Answer 2 · answered May 11 '17 at 17:16

0

The issue with this is due to permissions on the Graph API. The reason is since you are logged in under a specific user for the Microsoft Graph Explorer - you are able to see everything ... due to the fact you have authenticated as a single person ... the reason you see nothing is because the app-only permissions does not work.

answered May 11 '17 at 17:16

jdave

845
2
11
27

But I am using "Resource Owner Password Credentials Grant" so I AM logged in as a specific user, but still can't see that user's files, even though I have granted permission "Have full access to all files user can access". The strange thing is I do not get an error response (e.g. unauthorized) - just an empty array in the response. The `` in the response to the request to get all files in drive root, is the correct ID for the logged in user. – Ergwun May 12 '17 at 01:31
This question seems to be a topic that is best answered by Microsoft Team. However, I do believe Microsoft may have allowed the permissions for different authentication flows - the support for actually retrieving data doesn't seem to work. I suggest creating a post on SO and add 'Microsoft graph'. – jdave May 12 '17 at 01:35
Not sure what you mean. This *is* a post on SO tagged microsoftgraph. – Ergwun May 12 '17 at 10:55
Ergwun, We are also looking to connect to onedrive from the application to upload the file without asking for user credentials. Looks like you have got this working. I am also using Graph API to connect to onedrive. I am unable to locate the API to authenticate the user. Does it work only with Azure AD Work/school account? Can it work with personal Onedrive account? Thank you! – user1019444 Jun 18 '18 at 03:20

How to authorize service to use Microsoft Graph user account without user interaction?

2 Answers2

Linked