Tenant does not have a SPO license

Question

I have an error while trying to use Microsoft Graph to write a script to upload an Excel file to OneDrive then read the Excel file.

I followed Microsoft documentation to obtain the access token without user. I successfully got an access token but I got an error while using the access token to call the OneDrive API.

Here is the response:

{
    "error": {
        "code": "BadRequest",
        "message": "Tenant does not have a SPO license.",
        "innerError": {
            "request-id": "5ec31d17-3aea-469f-9078-de3608f11d0d",
            "date": "2017-10-10T04:34:05"
        }
    }
}

I don't understand why I need to have SPO license while calling graph API and how to get it. Because of this error message so I'm trying to buy a SPO license.

According to this document, I think I should see many products in the license pages but while logging in with Azure Portal and go to the License page, I see only 2 products: Azure AD Premium and Enterprise Mobility Suite:

screenshot

Off topic as licensing question – bummi Oct 18 '17 at 04:15 — bummi, Oct 18 '17 at 04:15

score 22 · Answer 1 · answered Mar 07 '19 at 04:31

22

In case anyone else has a similar issue, I was getting the same error message when using an Office 365 Home license. It turns out SPO stands for SharePoint Online, and you need an Office 365 Business account to have it. So as far as I can tell, you can't use the Microsoft Graph API to access OneDrive without having SharePoint (which only comes with the business licenses). This isn't really made clear anywhere that I could find.

answered Mar 07 '19 at 04:31

crimson_penguin

2,728
1
17
24

2

Is there another API besides the Microsoft Graph API to access OneDrive with an Office 365 Home license? – tom May 28 '20 at 13:07
1

I'm really not sure, sorry! – crimson_penguin May 28 '20 at 19:44
1

@crimson_penguin, this information is partially right. You can use your personal account to access Graph API as I pointed in [here](https://stackoverflow.com/questions/46802055/tenant-does-not-have-a-spo-license/66733599#66733599). But in fact, if you are using a business account this information is true, you will need to buy a business license. Check Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer to explorer what is possible with your account. – Augusto Icaro Mar 21 '21 at 14:45

score 15 · Accepted Answer · answered Oct 21 '17 at 23:24

15

Answering a couple of things here.

Background: Microsoft Graph is the developer gateway or API to many Microsoft cloud services, like Office 365, Azure Active Directory, EMS (Enterprise Mobility Suite), personal Outlook, personal OneDrive and more. Use of the API is free, but to access the data behind it, you need to actually have those services - in some cases they may be free and in other cases you may need to pay for them.

As for adding Office 365 to your existing tenant. I believe you've signed up for Azure using a Microsoft Account. This means that you already have an Azure Active Directory tenant. You can still purchase/acquire Office 365 for that tenant. All you need to do is create a new Azure AD user (not a Microsoft Account) in your tenant, and make them a company admin. Then you should be able to sign-up for Office 365 - if it asks if you already have a tenant or account, sign in with the AAD account you just created. And voila, you should have an Azure AD tenant with a subscription to Azure AND now a subscription to Office 365.

Hope this helps,

answered Oct 21 '17 at 23:24

Dan Kershaw - MSFT

5,833
1
14
23

Thank you very much, @Dan Kershaw - MSFT :). Your explanation helps me so much. I'll follow your instruction to get O365 subscription for my tenant. According to my needs (service to service call to upload excel file to Onedrive and use MS Excel API to read it), could you please tell me which product is appropriate for me https://products.office.com/en/compare-all-microsoft-office-products?tab=2? – Ken Pham Oct 23 '17 at 03:07
All of them will work for you, since they all include the OneDrive service. Office 365 Business Essentials is the cheapest and probably best bet for you, since it actually will light up more of the Microsoft Graph functionality - should you in the future want to do more than just upload/manipulate Excel files in OneDrive. – Dan Kershaw - MSFT Oct 23 '17 at 16:44
Thank you very much, @Dan :). – Ken Pham Oct 24 '17 at 01:35
This doesn't help exactly... OneDrive has a free personal tier while Office365 is a paid subscription. Are you saying that OneDrive API support only works for those with a paid subscription of Office? (It doesn't work with OneDrive personal?) https://stackoverflow.com/questions/60313963/is-spo-required-for-azure-graph-api-onedrive-api-access-to-read-files-list-an – ina Feb 20 '20 at 06:22
Thank you, I just sign up new account with: https://www.microsoft.com/vi-vn/microsoft-365/business/office-365-enterprise-e3-business-software?lc=1066&activetab=pivot:overviewtab then login Azure with new MSFT account, register new app, set API permission. – Trần Trung Hiếu May 26 '20 at 09:02
1

@DanKershaw-MSFT Could you elaborate more on "make them a company admin"? – Lee Han Kyeol Aug 28 '20 at 00:06
Can I use graph API to upload/read/write onedrive files under my free account (5GB) ? – linrongbin Feb 16 '21 at 23:38
if the `User flow` is used to generate an access token, We can successfully use that access token to access one drive using graph API. If that can be done without any subscription why can't we do the same with other delegated access tokens? MS Docs are really bad. – Lenzman Apr 20 '21 at 08:56
1

I have the same problem, I am uploading a file to my SPO site and I have the same error. I want to follow your instructions to fix it but I don't understand when you say to create a new user in Azure AD and then name it admin. I did it but wanting to subscribe to Office the email address does not allow it. The address of the new user that I have created is of the type: usernew@email_here_admin_of_my_site_azure.onmicrosoft.com which does not allow to create an O365 account – Aug 23 '21 at 06:23

Augusto Icaro · Answer 3 · 2023-07-17T13:54:17.020

In case anyone else has a similar issue, I got the same error message when using a personal Microsoft account, just like OP.

So, if you are using a personal account in a registered Azure Active Directory(AAD) app, that type isn't Personal Microsoft accounts only or Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox) you will get this error. Also, you need to use the correct endpoint to avoid errors.

The main problem is our account type. As a personal account, there are some restrictions to access one drive files. These restrictions are:

You can only use Oauth2 Code Flow or Oauth2 Token Flow. Both are interactive approaches. [1][2]
Your application registered in AAD needs to be Personal Microsoft accounts only or Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) and each one have a different endpoint to acquire the access token (That you can see clicking on endpoint button, near the delete app button in app page). [3]
Enable these delegated permissions to your application registered in AAD: Files.Read, Files.Read.All, Files.ReadWrite, and Files.ReadWrite.All.

With these restrictions in mind, you can set up a workflow in Postman following these two steps(I'm using endpoints of Personal Microsoft accounts only app type and using Oauth2 Code Flow):

Important note: To use code flow, you need to enable Access tokens in Implicit grant and hybrid flows on Authentication ADD app sidebar menu.

Aquire access token:

https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=YOUR_CLIENT_ID&response_type=token&redirect_uri=ONE_OF_REGISTERED_REDIRECT_URI&scope=Files.Read Files.Read.All Files.ReadWrite Files.ReadWrite.All

After you fill in your information on Postman's request, I recommend using a browser and network inspection to log in with a Microsoft account and permit the app. You are getting the access token via network inspection.

List one drive root files:

https://graph.microsoft.com/v1.0/me/drive/root/children
Add a new header:
Authorization
With value:
Bearer ACCESS_TOKE_OF_STEP_1

In my angular application, due to this interactive way restriction to access one drive files, I changed my authentication method to use Microsoft Authentication Library(MSAL) to avoid every time that need to send an API request open a popup window to authenticate a valid Microsoft account.

This will work where users can sign in from a browser. How about if we want to acquire the token using client_credential flow or resource owner flow — Lenzman, Apr 19 '21 at 04:02
@JeffinJ as I said in restriction 1. For personal accounts, you can only use Oauth2 Code Flow or Oauth2 Token Flow, and both are interactive approaches. You only can use lient_credential flow or resource owner flow with a business account. My first attempt was with a client_credential flow, then I found the restrictions and change all my architecture to an interactive approach, as I said at the end of my answer — Augusto Icaro, Apr 20 '21 at 15:07
Have you heard about rclone. It bypasses the user interaction and does this semlessly — Lenzman, Apr 20 '21 at 17:53
@JeffinJ If you are talking about this one https://rclone.org/onedrive/ looks like a good option! I didn't know this option. But now it is too late for me. — Augusto Icaro, Apr 21 '21 at 17:06
This is a good option if you just need to sync files from your server to one drive, or use your server as a temp space to store the files and then upload the files to one drive. rclone handles everything else automatically — Lenzman, Apr 21 '21 at 18:37

score 4 · Answer 4 · answered Oct 18 '17 at 11:51

4

Both OneDrive for Business and the Excel APIs require Office 365. Based on your screenshot, this looks like a standalone Azure Active Directory tenant (i.e. not linked to O365).

The reason for the SPO License message is that OneDrive for Business is a special SharePoint Online document library that is automatically provisioned for users.

answered Oct 18 '17 at 11:51

Marc LaFleur

31,987
4
37
63

Thank you for your help. Do you mean I'll able to use OneDrive and Excel APIs if I buy Office 365? My Microsoft account seems not able to buy Office 365, it seems only available for work account. If I sign up a work account and buy Office 365, how can I link it to my existing Azure Active Directory tenant? – Ken Pham Oct 19 '17 at 03:14
You can use these APIs with your Microsoft Account but you'll need to use the [v2 Endpoint](massivescale.com/microsoft-v2-endpoint-primer/). What you've used to register your app (from the screen shot) is v1 which only supports Work/School accounts. – Marc LaFleur Oct 19 '17 at 15:09
Thank you very much. I have read the post you sent. It does not work for me because what I'm trying to do is "service to service call". The APIs will be called in the background without user, without redirection. The idea is my app will generate a report (Excel file) and I need to upload it to Onedrive and have an ability to read that file (by using APIs). Everything will be uploaded/stored to my Onedrive. Do you think the V2 endpoint can support my needs? Or if you know anything else which can do that, could you please share it with me? – Ken Pham Oct 20 '17 at 04:22
1

You use to service to service (aka the Client Credentials flow) with personal (MSA) accounts. You can use this with work/school (AAD) tenants. This is because your personal OneDrive is part of a public tenant whereas OneDrive for Business is part of a private subscription. You'll need an commercial O365 tenant for this. – Marc LaFleur Oct 20 '17 at 13:33
Thank you for your help, @Marc LaFleur. I wonder if I can use work/school account for Client Credentials flow to access my personal Onedrive? I have tried this way before, but it was not successful. When using the public tenant (https://login.microsoftonline.com/common/oauth2/token) for my work/school account, I could obtain the API access token but I always got error 400 (Bad Request) while calling Onedrive API. Is there the document which can help me to work on this flow? – Ken Pham Oct 23 '17 at 03:21
No, you cannot use Client Credentials with personal OneDrive. When you create an MSA with your work/school email address it is simply creating an MSA with that email address. You end up with two accounts with the same address, they are not linked in any way. – Marc LaFleur Oct 23 '17 at 13:02
I understood. Thank you very much, @Marc. – Ken Pham Oct 24 '17 at 01:33
@Marc LaFleur Have similar issue. My application uses back-end API service(no users), which should interact with my Personal OneDrive. I have registered application in App registration portal. When I am trying to obtain adminconstent by sending request to https://login.microsoftonline.com/common/adminconsent? client_id=&redirect_uri= I get "We are unable to issue tokens from this api version". I tried using AzureAD. Registered my app there. I am able to get access token. However querying Graph API returns "Tenant does not have a SPO license". Please let me know what can I do. Thank you! – Sparrow_ua Oct 09 '18 at 03:21
2

As stated above, you cannot use Client Credentials/App-Only with personal accounts. – Marc LaFleur Oct 09 '18 at 21:08

score 3 · Answer 5 · answered Oct 18 '17 at 11:29

3

Are you able to access the OneDrive contents (including the Excel file) manually through browser after logging in with your account in the same tenant?
If you are able to access the drive and file manually, please use Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer to sign in using the same account and make the call to get the Drive contents. When you’re signing-in, you would be presented with a consent page listing the permissions needed to be granted. Please make a note of those permissions and check whether the permission match to those required for accessing the drive.
If you do not have appropriate SPO license yet, you can try setting up a free Office-365 trial account (https://products.office.com/en-in/business/office-365-enterprise-e3-business-software) and test the APIs.

answered Oct 18 '17 at 11:29

MKumar

31
1

1. I'm able to access [Onedrive site](https://onedrive.live.com) to upload an excel file then read it. 2. I'm able to use Graph Explore to access [my root drive directory](https://graph.microsoft.com/v1.0/me/drive/root/children) and I can see the uploaded file in the API's response. But I couldn't read the file by [Excel API](https://graph.microsoft.com/v1.0/me/drive/items/16FA3ECF60A1FF73!112/workbook/worksheets). I got this error: `{"code": "generalException", "message": " Exception While Processing"}` – Ken Pham Oct 19 '17 at 03:03
1

3. I couldn't setup Office-365 with the Microsft account. It seems I need a work account to do what you suggested. But if I setup a work account, how I link this account to my existed tenant? – Ken Pham Oct 19 '17 at 03:06

score 1 · Answer 6 · answered Jan 16 '22 at 14:16

1

To add to Kikutos' answer answer, you can use this Azure sample to acquire the token via MSAL.NET.
The only thing you need to change is the Instance property, which needs to be set to:

https://login.microsoftonline.com/consumers/

answered Jan 16 '22 at 14:16

Mr Patience

1,564
16
30

score 1 · Answer 7 · answered Apr 14 '23 at 04:56

For anyone like me who just tries out MS GRAPH SDK for .Net and encounters this error while trying to access their personal drive.

First, make sure you select Personal Microsoft accounts only when registering your application.

Second, TenantId should be set to consumers. For an example:

    var deviceCodeCredentialOptions = new DeviceCodeCredentialOptions()
    {
        ClientId = ApplicationClientId,
        TenantId = "consumers",
        DeviceCodeCallback = (info, cancle) =>
        {
            // Display the device code message to
            // the user. This tells them
            // where to go to sign in and provides the
            // code to use.
            Console.WriteLine(info.Message);
            return Task.FromResult(0);
        },
        TokenCachePersistenceOptions = new TokenCachePersistenceOptions() {Name = TokenName}
    };

Also, make sure your scopes have appropriate permissions such as Files.ReadWrite.

After that, you should be able to access your drive without problems.

Tenant does not have a SPO license

7 Answers7

Linked