Cannot access OneDrive storage for multi/inter tenant

%3CLINGO-SUB%20id%3D%22lingo-sub-1494249%22%20slang%3D%22en-US%22%3ECannot%20access%20OneDrive%20storage%20for%20multi%2Finter%20tenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1494249%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20to%20create%20an%20application%2C%20with%20which%20the%20user%20in%20another%20company%2Ftenant%20could%20access%20his%2Fher%20OneDrive%20storage.%20But%20failed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20really%20appreciated%20for%20the%20advice%20on%20what%20or%20which%20steps%20I%20had%20made%20mistakes.%20Thanks%20a%20lot.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDetail%20as%20below%3A%20%3CFONT%20color%3D%22%23800000%22%3EThe%20user%20(user01%40company.com)%2C%20who%20is%20in%20Tenant%20X%2C%20wants%20to%20use%20the%20service%2Fsystem%20(which%20is%20developed%20by%20Tenant%20Y)%20to%20access%20the%20files%20on%20his%2Fher%20One%20Drive%20storage.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E1.)%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3ETenant%20Y%20had%20already%20got%20the%20Azure%20service%20and%20had%20subscribed%20Office%20365%20service%20(as%20the%20One%20Drive%20API%20need%20SPO%20license).%3C%2FP%3E%3CP%3E%3CSTRONG%3E2.)%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EWith%20AAD%20in%20the%20Tenant%20Y%2C%20I%20added%20the%20user's%20email%20(use01%40company.com)%20in%20the%20active%20directory%20(AAD)%20as%20a%20guest%20user%2C%20and%20the%20user%20had%20received%20the%20notification%20email%20and%20accept%20it.%3C%2FP%3E%3CP%3E%3CSTRONG%3E3.)%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EWith%20AAD%20in%20the%20Tenant%20Y%2C%20I%20registered%20a%20new%20application%2C%20selected%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EAccounts%20in%20any%20organizational%20directory%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eoption%20from%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESupported%20account%20types%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Esection%2C%20setup%20the%20redirect%20URI.%3C%2FP%3E%3CP%3E%3CSTRONG%3E4.)%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EAdded%20the%20delegated%20API%20privilege%20for%20Graph%20API%20(such%20as%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3EFiles.ReadWrite%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3EFiles.ReadWriteAll%3C%2FEM%3E)%2C%20and%20approved%20the%20new%20added%20privileges%20request.%3C%2FP%3E%3CP%3E%3CSTRONG%3E5.)%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3ECreated%20a%20new%20client%20secret%20for%20the%20application.%3C%2FP%3E%3CP%3E%3CSTRONG%3E6.)%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EWith%20the%20tenant%20Id%2C%20client%20Id%20and%20client%20secret%20of%20the%20application%2C%20now%20I%20could%20start%20OAuth2%20authentication%20flow%20for%20the%20user%20(user01%40company.com).%20And%20finally%2C%20I%20got%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Eaccess%20token%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efor%20this%20user.%3C%2FP%3E%3CP%3E%3CSTRONG%3E7.)%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EWith%20the%20access%20token%2C%20it's%20no%20problem%20to%20get%20the%20user's%20profile%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fme%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fme%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E8.)%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EIt%20would%20complain%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E401%20Unauthorized%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eerror%20for%20this%20request%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fme%2Fdrive%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fme%2Fdrive%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E.%20(By%20the%20way%2C%20such%20request%20will%20be%20no%20problem%20for%20the%20user%20in%20the%20same%20Tenant%20Y)%3C%2FP%3E%3CP%3EResponse%20as%20the%20following%3A%3C%2FP%3E%3CPRE%3EHTTP%2F1.1%20401%20Unauthorized%0ACache-Control%3A%20private%0AContent-Type%3A%20application%2Fjson%0Arequest-id%3A%20ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2%0Aclient-request-id%3A%20ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2%0Ax-ms-ags-diagnostic%3A%20%7B%22ServerInfo%22%3A%7B%22DataCenter%22%3A%22East%20Asia%22%2C%22Slice%22%3A%22SliceC%22%2C%22Ring%22%3A%224%22%2C%22ScaleUnit%22%3A%22002%22%2C%22RoleInstance%22%3A%22AGSFE_IN_19%22%7D%7D%0AStrict-Transport-Security%3A%20max-age%3D31536000%0ADate%3A%20Wed%2C%2024%20Jun%202020%2007%3A13%3A00%20GMT%0AContent-Length%3A%20249%0A%20%0A%7B%0A%20%20%22error%22%3A%20%7B%0A%20%20%20%20%22code%22%3A%20%22accessDenied%22%2C%0A%20%20%20%20%22message%22%3A%20%22There%20has%20been%20an%20error%20authenticating%20the%20request.%22%2C%0A%20%20%20%20%22innerError%22%3A%20%7B%0A%20%20%20%20%20%20%22date%22%3A%20%222020-06-24T07%3A13%3A01%22%2C%0A%20%20%20%20%20%20%22request-id%22%3A%20%22ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2%22%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1494249%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAAD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGraph%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOne%20Drive%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Visitor

Hi,

 

I tried to create an application, with which the user in another company/tenant could access his/her OneDrive storage. But failed.

 

It's really appreciated for the advice on what or which steps I had made mistakes. Thanks a lot.

 

Detail as below: The user (user01@company.com), who is in Tenant X, wants to use the service/system (which is developed by Tenant Y) to access the files on his/her One Drive storage.

 

1.) Tenant Y had already got the Azure service and had subscribed Office 365 service (as the One Drive API need SPO license).

2.) With AAD in the Tenant Y, I added the user's email (use01@company.com) in the active directory (AAD) as a guest user, and the user had received the notification email and accept it.

3.) With AAD in the Tenant Y, I registered a new application, selected Accounts in any organizational directory option from Supported account types section, setup the redirect URI.

4.) Added the delegated API privilege for Graph API (such as the Files.ReadWrite and Files.ReadWriteAll), and approved the new added privileges request.

5.) Created a new client secret for the application.

6.) With the tenant Id, client Id and client secret of the application, now I could start OAuth2 authentication flow for the user (user01@company.com). And finally, I got the access token for this user.

7.) With the access token, it's no problem to get the user's profile https://graph.microsoft.com/v1.0/me

8.) It would complain 401 Unauthorized error for this request: https://graph.microsoft.com/v1.0/me/drive . (By the way, such request will be no problem for the user in the same Tenant Y)

Response as the following:

HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: application/json
request-id: ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2
client-request-id: ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"East Asia","Slice":"SliceC","Ring":"4","ScaleUnit":"002","RoleInstance":"AGSFE_IN_19"}}
Strict-Transport-Security: max-age=31536000
Date: Wed, 24 Jun 2020 07:13:00 GMT
Content-Length: 249
 
{
  "error": {
    "code": "accessDenied",
    "message": "There has been an error authenticating the request.",
    "innerError": {
      "date": "2020-06-24T07:13:01",
      "request-id": "ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2"
    }
  }
}

 

0 Replies