Microsoft Graph issue SPO license listing drive files

Question

I think I wasn't clear enough, in my question below, about how the app I'm developing is being used.

The flow of the app I'm developing is:

• members of the app, which I'm developing for my client, can login with their useraccount at the website of my client and create an offer or place an order directly
• next step is to apply the materials they want to order (which kind of steel, thickness, amount of spare parts, etc)
• last step is uploading their DXF and STEP files to the central directory at the Onedrive of my client

The members don't have Onedrive theirself, they just need to upload their files via the app of my client to an central point which is the Onedrive.

From that point the laser cutting machine is loading the files of Onedrive into its memory.

The reason I was using the client credentials grant flow OAuth 2.0 is because I want my code/website to login as it's own identity and store the files, uploaded by the members of the app, to the central directory at Onedrive. I don't want the members of my app to login with their own MS account.

I'm starting to doubt if it's even possible to setup an connection with MS as described above.

---

I'm developing an webapp where users can upload files (DXF and Step files) to my clients Onedrive via Microsofty Graph API.

I've spended a lot of hours trying to make the connection work with my own developing account at Onedrive and have been reading a lot of other troubleshootings before at Stackoverflow and Microsoft's sites but I can't get it to work.

So what I have (done) this far:

• I have an Office 365 Business account including Sharepoint and a dummy file on onedrive (test)

• I have an account at azure.portal.com

• I already registered an App at the Azure Active Directory, created a secret key and created all the permissions as below

• I installed microsoft-graph

With the code below I'm becoming an access-token

require __DIR__ . '/vendor/autoload.php';

use Microsoft\Graph\Graph;
use Microsoft\Graph\Model;
$guzzle = new \GuzzleHttp\Client();
    

$tenantId = '6329a6cd-3d15-4f10-bef9-b5d52b1122fe';
$clientId = 'c01da8d9-01d1-43bb-93cf-5278d38aed7e';
$clientSecret = 'SECRET KEY HERE';

$url = 'https://login.microsoftonline.com/' . $tenantId . '/oauth2/token';
$user_token = json_decode($guzzle->post($url, [
    'form_params' => [
        'client_id' => $clientId,
        'client_secret' => $clientSecret,
        'resource' => 'https://graph.microsoft.com/',
        'grant_type' => 'client_credentials',
        'username' => 'jeroen@jebawebdesign.onmicrosoft.com',
        'password' => 'my-password'
    ],
])->getBody()->getContents());

$accessToken = $user_token->access_token;

Next thing I to do is to test the connection with the access token and then something weirds happen.

With the code below I receive all the account-data.

$client = new \GuzzleHttp\Client(['headers' => ['Authorization' => 'Bearer '.$accessToken, 'Host' => 'graph.microsoft.com']]);
$users = $client->get('https://graph.microsoft.com/v1.0/users');
echo $users->getBody();

When I try to access the files in the root drive I'ts giving me the error message "Tenant does not have a SPO license solve" but I have an Business license with Sharepoint included?

$client = new \GuzzleHttp\Client(['headers' => ['Authorization' => 'Bearer '.$accessToken, 'Host' => 'graph.microsoft.com']]);
$drive = $client->get('https://graph.microsoft.com/v1.0/users/253f61d2-e692-4be3-9f13-d8a88a9dda1b/drive/root');
echo $drive ->getBody();

When I login via https://developer.microsoft.com/en-us/graph/graph-explorer I can call all the API receiving the correct results.

Answer 1

Note that, client credentials flow works with Application permissions whereas Graph Explorer uses Delegated permissions where user signs in.

As you are able to call all the APIs by logging into Graph Explorer, try changing to Delegated flow while generating access token instead of client credentials.

I tried to reproduce the same in my environment via Postman and got below results:

I registered one Azure AD application and added API permissions same as you like below:

Now I generated access token via Postman by changing grant_type to password instead of client_credentials like below:

POST https://login.microsoftonline.com/<tenantID>/oauth2/token
client_id: <appID>
client_secret: <secret>
resource: https://graph.microsoft.com/
grant_type:password
username: admin@xxxxxxxxxx.onmicrosoft.com
password:xxxxxxxxxx

Response:

With the above access token, I am able to get list of users using below query:

GET https://graph.microsoft.com/v1.0/users

Response:

When I used same token to access user's files in the root drive, I got the response successfully as below:

GET https://graph.microsoft.com/v1.0/users/db5ccaa9-d0c0-4bfa-8693-xxxxxxxxxxx/drive/root

Response:

To confirm that, I ran the same query in Graph Explorer by signing in with same user account and got same response like this:

GET https://graph.microsoft.com/v1.0/users/db5ccaa9-d0c0-4bfa-8693-xxxxxxxxxxx/drive/root

Response:

In your case, just change grant_type to password of your code like this:

require __DIR__ . '/vendor/autoload.php';

use Microsoft\Graph\Graph;
use Microsoft\Graph\Model;
$guzzle = new \GuzzleHttp\Client();
    

$tenantId = '6329a6cd-3d15-4f10-bef9-b5d52b1122fe';
$clientId = 'c01da8d9-01d1-43bb-93cf-5278d38aed7e';
$clientSecret = 'SECRET KEY HERE';

$url = 'https://login.microsoftonline.com/' . $tenantId . '/oauth2/token';
$user_token = json_decode($guzzle->post($url, [
    'form_params' => [
        'client_id' => $clientId,
        'client_secret' => $clientSecret,
        'resource' => 'https://graph.microsoft.com/',
        'grant_type' => 'password', //Replaced 'client_credentials' with 'password'
        'username' => 'jeroen@jebawebdesign.onmicrosoft.com',
        'password' => 'my-password'
    ],
])->getBody()->getContents());

$accessToken = $user_token->access_token;

Make sure to pass same credentials in username and password parameters that you used to sign in Graph Explorer.