Forum Discussion
sharedWithMe returns only one item
A request from a standalone application to the https://learn.microsoft.com/en-us/graph/api/drive-sharedwithme endpoint returns only one item.
Scopes used for authorization are: files.readwrite.all, group.readwrite.all, sites.readwrite.all, offline_access user.read
When calling the same endpoint https://developer.microsoft.com/en-us/graph/graph-explorer, all shared items are returned.
Result from application:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.driveItem)",
"value": [
{
"createdDateTime": "2025-11-13T18:48:46Z",
"id": "700DF30854FEF749!sd0cb731281c141acb1bf78fed133f933",
"lastModifiedDateTime": "2025-11-13T18:48:46Z",
"name": "saĝa-simio",
"webUrl": "https://onedrive.live.com?cid=700df30854fef749&id=700DF30854FEF749!sd0cb731281c141acb1bf78fed133f933",
"size": 0,
"createdBy": {
"user": {
"email": "email address removed for privacy reasons",
"id": "email address removed for privacy reasons",
"displayName": "Saĝa Simio"
}
},
"lastModifiedBy": {
"user": {
"email": "email address removed for privacy reasons",
"id": "email address removed for privacy reasons",
"displayName": "Saĝa Simio"
}
},
"fileSystemInfo": {
}Note that only one item is returned.
Result from Graph Explorer:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.driveItem)",
"@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET me/drive/microsoft.graph.sharedWithMe?$select=audio,bundle",
"value": [
{
"createdDateTime": "2025-11-13T18:48:46Z",
"id": "700DF30854FEF749!sd0cb731281c141acb1bf78fed133f933",
"lastModifiedDateTime": "2025-11-13T18:48:46Z",
"name": "saĝa-simio",
"webUrl": "https://onedrive.live.com?cid=700df30854fef749&id=700DF30854FEF749!sd0cb731281c141acb1bf78fed133f933",
"size": 0,
"createdBy": {
"user": {
"email": "email address removed for privacy reasons",
"id": "email address removed for privacy reasons",
"displayName": "Saĝa Simio"
}
},
"lastModifiedBy": {
"user": {
"email": "email address removed for privacy reasons",
"id": "email address removed for privacy reasons",
"displayName": "Saĝa Simio"
}
},
"fileSystemInfo": {
"createdDateTime": "2025-11-13T18:48:46Z",
"lastModifiedDateTime": "2025-11-13T18:48:46Z"
},
"folder": {
"childCount": 1,
"view": {}
},
"remoteItem": {
"createdDateTime": "2025-11-13T18:48:46Z",
"id": "700DF30854FEF749!sd0cb731281c141acb1bf78fed133f933",
"lastModifiedDateTime": "2025-11-13T18:48:46Z",
"name": "saĝa-simio",
"size": 0,
"createdBy": {
"user": {
"email": "email address removed for privacy reasons",
"id": "email address removed for privacy reasons",
"displayName": "Saĝa Simio"
}
},
"fileSystemInfo": {
"createdDateTime": "2025-11-13T18:48:46Z",
"lastModifiedDateTime": "2025-11-13T18:48:46Z"
},
"folder": {
"childCount": 1,
"view": {}
},
"lastModifiedBy": {
"user": {
"email": "email address removed for privacy reasons",
"id": "email address removed for privacy reasons",
"displayName": "Saĝa Simio"
}
},
"parentReference": {
"driveType": "personal",
"driveId": "700df30854fef749"
},
"shared": {
"scope": "users",
"sharedDateTime": "2025-11-13T19:16:19Z",
"owner": {
"user": {
"id": "700df30854fef749",
"displayName": "Saĝa Simio"
}
},
"sharedBy": {
"user": {
"email": "email address removed for privacy reasons",
"id": "email address removed for privacy reasons",
"displayName": "Saĝa Simio"
}
}
},
"sharepointIds": {
"listId": "a5aff78d-98ee-4b34-b35b-f4fe365ebd74",
"listItemId": "184",
"listItemUniqueId": "d0cb7312-81c1-41ac-b1bf-78fed133f933",
"siteId": "87dbe7ee-ae0c-4854-82e7-d56d982fef54",
"siteUrl": "https://my.microsoftpersonalcontent.com/personal/700df30854fef749",
"webId": "9d8b91c3-b0b9-45d1-83e4-17babde0d1dc"
}
}
},
{
"createdDateTime": "2025-11-13T18:24:59Z",
"id": "D26CADA368C1131F!116",
"lastModifiedDateTime": "2025-11-13T18:24:59Z",
"name": "Beastie",
"webUrl": "https://onedrive.live.com?cid=d26cada368c1131f&id=D26CADA368C1131F!116",
"size": 0,
"createdBy": {
"user": {
"email": "email address removed for privacy reasons",
"id": "email address removed for privacy reasons",
"displayName": "Faerie Graceful"
}
},
"lastModifiedBy": {
"user": {
"email": "email address removed for privacy reasons",
"id": "email address removed for privacy reasons",
"displayName": "Faerie Graceful"
}
},
"fileSystemInfo": {
"createdDateTime": "2025-11-13T18:24:59Z",
"lastModifiedDateTime": "2025-11-13T18:24:59Z"
},
"folder": {
"childCount": 1,
"view": {}
},
"remoteItem": {
"createdDateTime": "2025-11-13T18:24:59Z",
"id": "D26CADA368C1131F!116",
"lastModifiedDateTime": "2025-11-13T18:24:59Z",
"name": "Beastie",
"size": 0,
"createdBy": {
"user": {
"email": "email address removed for privacy reasons",
"id": "email address removed for privacy reasons",
"displayName": "Faerie Graceful"
}
},
"fileSystemInfo": {
"createdDateTime": "2025-11-13T18:24:59Z",
"lastModifiedDateTime": "2025-11-13T18:24:59Z"
},
"folder": {
"childCount": 1,
"view": {}
},
"lastModifiedBy": {
"user": {
"email": "email address removed for privacy reasons",
"id": "email address removed for privacy reasons",
"displayName": "Faerie Graceful"
}
},
"parentReference": {
"driveType": "personal",
"driveId": "d26cada368c1131f"
},
"shared": {
"scope": "users",
"sharedDateTime": "2025-11-13T18:41:30Z",
"owner": {
"user": {
"id": "d26cada368c1131f",
"displayName": "Faerie Graceful"
}
},
"sharedBy": {
"user": {
"email": "email address removed for privacy reasons",
"id": "email address removed for privacy reasons",
"displayName": "Faerie Graceful"
}
}
},
"sharepointIds": {
"listId": "5d31fd1e-38af-4117-b637-c1a0f7d5ca95",
"listItemId": "4",
"listItemUniqueId": "68c1131f-ada3-206c-80d2-740000000000",
"siteId": "74111012-f9e7-4940-ad60-5e53a21e2d3c",
"siteUrl": "https://my.microsoftpersonalcontent.com/personal/d26cada368c1131f",
"webId": "f1ea2ab8-b5ee-4c93-8ce2-6c12700c226a"
}
}
}
]
}
Any tips or suggestions are welcome.
5 Replies
This is a known and subtle behavior difference between delegated (user) tokens and application-only tokens in Microsoft Graph, and it explains exactly what you’re seeing.
Short answer…
/drive/sharedWithMe does not fully work with application (client credentials) tokens.
It is designed to return items shared with the signed-in user, and only delegated user context is fully supported.Graph Explorer uses delegated permissions, while your standalone app is using application permissions → hence only one item (or an incomplete set) is returned.
Your permissions are correct
Your request is valid
The endpoint is not supported for application-only tokensThis is expected behavior, not a bug.
Final recommendation
If your scenario is user-centric (which sharedWithMe is):
Switch to delegated authentication
My answers are voluntary and without guarantee!
Hope this will help you
Thank you for your reply.
However, I'm already using the delegated authentication. The request runs against https://graph.microsoft.com/v1.0/me/drive/sharedwithMe endpoint. According to the documentation: "Endpoints and APIs with the /me alias operate on the signed-in user only and are therefore called in delegated access scenarios."My application requests user authorization via OAuth2 code grant flow.
Or, maybe I'm missing something here?You’re not missing something obvious in terms of auth flow — your reasoning about delegated auth and /me is correct. The missing piece is pagination, combined with a subtle Graph Explorer behavior.
/me/drive/sharedWithMe is a paged endpoint.
In your application response, you only see the first page, which in your case happens to contain one item.
In Graph Explorer, you see all items because:
- Graph Explorer automatically follows @odata.nextLink
- Your app does not, so it stops after the first page
This is why:
- Same user
- Same endpoint
- Same permissions
- Different results
Why you didn’t notice pagination
Your app response:
{
"@odata.context": "...",
"value": [
{ ... one item ... }
]
}
But Graph will only include @odata.nextLink when there is another page. Many SDKs and tools (including Graph Explorer) fetch it automatically, but raw HTTP clients do not.
If you inspect the raw HTTP response headers or enable tracing, you should see something like:
"@odata.nextLink": "https://graph.microsoft.com/v1.0/me/drive/sharedWithMe?$skiptoken=..."
Your app needs to explicitly follow that link.
Why Graph Explorer looks “complete”
Graph Explorer:
- Uses delegated auth
- Uses /me
- Automatically:
- Detects @odata.nextLink
- Fetches subsequent pages
- Merges results into one array
So it appears like a single response.
How to fix it in your app
Option 1: Follow @odata.nextLink (recommended)
Pseudo-logic:
GET /me/drive/sharedWithMe
while (@odata.nextLink exists):
GET @odata.nextLink
append items
Option 2: Increase page size
You can request more items per page:
GET /me/drive/sharedWithMe?$top=50
This reduces paging but does not eliminate it — you still must handle @odata.nextLink.
Important clarifications (to rule out other theories)
You are using delegated auth
/me/drive/sharedWithMe is correct
OAuth2 authorization code flow is correct
This is not an application-permissions limitation
This is not a OneDrive personal vs business issue
This is not a permissions scope issueFinal takeaway
The endpoint is working correctly.
Your app is only processing the first page of results.Once you implement pagination handling, your standalone app will return the same items as Graph Explorer.
