OneDrive webhook API occasionally returns a 401 status code
TL;DR: scroll down to the "Questions" section Hello, I am currently working on an integration with OneDrive that manipulates webhook subscriptions to OneDrive drives via the Graph API, using the https://docs.microsoft.com/en-us/onedrive/developer/rest-api/concepts/using-webhooks?view=odsp-graph-online endpoint. Sometimes, without any apparent reason, the API returns a 401 Unauthorized error with a response similar to the one below (this one is the payload of an actual response I got for a https://docs.microsoft.com/en-us/onedrive/developer/rest-api/api/subscription_update?view=odsp-graph-online call): { "error": { "code": "ExtensionError", "message": "Operation: Update; Exception: [Status Code: Unauthorized; Reason: Authentication failed]", "innerError": { "date": "2021-04-16T00:29:11", "request-id": "4f1f55fe-9ac1-4c8c-9d21-529d0d0be1a1", "client-request-id": "4f1f55fe-9ac1-4c8c-9d21-529d0d0be1a1" } } } Retrying the request usually works (yes, retrying the exact same request that returned a 401 Unauthorized error can succeed if retried). To demonstrate this, I attached the logs of 2 other, identical requests: one that failed and another one that succeeded. I obfuscated the auth tokens, but assume that the exact same auth token was used for both. Also assume that the endpoint indicated in the payload existed at the time, and correctly performed the https://docs.microsoft.com/en-us/onedrive/developer/rest-api/concepts/webhook-receiver-validation-request?view=odsp-graph-online. Given that the response payload and headers don't provide any useful information (even the x-ms-ags-diagnostic header is identical between a successful and a failed request), and that the documentation does not mention https://docs.microsoft.com/en-us/onedrive/developer/rest-api/api/subscription_update?view=odsp-graph-online#error-responses to these endpoints and their status codes I wanted to reach out to the community to check if anyone else faced a similar issue. ==Questions== Did anyone experience intermittent 401 Unauthorized status codes from the OneDrive /subscriptions endpoints? If so, how did you handle them? The naiive approach would be to retry the request, except that the outcome of a request that returns a 401 Unauthorized status code is uncertain. For example, sometimes the webhook gets eventually created even when a POST /subscription request apparently fails. Given the nature of the problem, it's hard to come up with a consistent way to test this, but if I discover more information I'll update this post. Thanks!
Cannot access OneDrive storage for multi/inter tenant
Hi, I tried to create an application, with which the user in another company/tenant could access his/her OneDrive storage. But failed. It's really appreciated for the advice on what or which steps I had made mistakes. Thanks a lot. Detail as below: The user (user01@company.com), who is in Tenant X, wants to use the service/system (which is developed by Tenant Y) to access the files on his/her One Drive storage. 1.) Tenant Y had already got the Azure service and had subscribed Office 365 service (as the One Drive API need SPO license). 2.) With AAD in the Tenant Y, I added the user's email (use01@company.com) in the active directory (AAD) as a guest user, and the user had received the notification email and accept it. 3.) With AAD in the Tenant Y, I registered a new application, selected Accounts in any organizational directory option from Supported account types section, setup the redirect URI. 4.) Added the delegated API privilege for Graph API (such as the Files.ReadWrite and Files.ReadWriteAll), and approved the new added privileges request. 5.) Created a new client secret for the application. 6.) With the tenant Id, client Id and client secret of the application, now I could start OAuth2 authentication flow for the user (user01@company.com). And finally, I got the access token for this user. 7.) With the access token, it's no problem to get the user's profile https://graph.microsoft.com/v1.0/me 8.) It would complain 401 Unauthorized error for this request: https://graph.microsoft.com/v1.0/me/drive . (By the way, such request will be no problem for the user in the same Tenant Y) Response as the following: HTTP/1.1 401 Unauthorized Cache-Control: private Content-Type: application/json request-id: ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2 client-request-id: ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"East Asia","Slice":"SliceC","Ring":"4","ScaleUnit":"002","RoleInstance":"AGSFE_IN_19"}} Strict-Transport-Security: max-age=31536000 Date: Wed, 24 Jun 2020 07:13:00 GMT Content-Length: 249 { "error": { "code": "accessDenied", "message": "There has been an error authenticating the request.", "innerError": { "date": "2020-06-24T07:13:01", "request-id": "ffef8bc9-11e7-4d07-9df3-e3cee81ef7b2" } } }
List items "Shared By Me" in Microsoft Graph
I really need to be able to run a report and list all items in OD4B and SPO that have been shared by a user from an API. Given MS Graph is meant to be the place to be, and is replacing the OneDrive API I assumed I could use a query along the lines of {graph uri}/users/{user id}/drives/shared but no joy. A user can list and manage the files that have active sharing links by going to the OneDrive portal and viewing the SharedByMe list. This reporting is essential as we have to be able to manage externally sharing of files as part of our security policies. If it is only accessible through the OneDrive API then how can I implement OneDrive API application permissions as this doesn't seem to be available in the AzureAD Application Registration blade. Many thanks in advance for any help you can provide. Yours, Tom
