microsoft graph api - How to grant Entra ID application "read" role for a DriveItem - Stack Overflow

admin管理员组

文章数量:1391925

Context

My web app uses an Entra ID application to anize file transfer from Sharepoint to the local storage. For this to work, a combination of “Files.Read.All” Delegated permission and FilePicker SDK for JavaScript is used. A user authorizes using his Microsoft work account, agrees with the consent, selects a file, and the web app reads and downloads that file.

Question

How to have a stable way for the Entra ID app to read any file, which was previously selected by any user, at any time? (Have a permanent “read” access)

What I have tried

1. Files.SelectedOperations.Selected Application permission. I can request a JWT token for the Entra ID app (POST /{tenant_id}/oauth2/v2.0/token), but a call (POST /v1.0/sites/{siteId}/drives/{driveId}/items/{itemId}/permissions) to grant “read” role for a DriveItem by siteId, driveId and itemId retrieved from FilePicker SDK's response returns 403 “accessDenied”. Apparently, that’s the user who must grant access to that file, but on UI he cannot share it with an Entra ID app, only with another user.
2. Re-usage of user’s accessToken which comes from FilePicker SDK to backend to grant "read" role for the Entra ID app to the file he has just selected. This accessToken is not full and cannot be used to perform such an operation.

Ultimate Goal (just for more context)

Implement OneDrive file auto-synchronization service for the web app.

For example, a user uploads a file to the web app. A month later he updates this file on Sharepoint in a site-collection or My Files. A background task is launched daily to update obsoleted files in the web app. The application must be able to read and download the respective DriveItem without any user interaction.

Business Restrictions

1. Excessive Application type permissions (Files.Read.All, FullControl, etc.) are not allowed.
2. Sites.Selected is highly NOT preferred because it requires global changes for users to transfer (copies of) their content on a special site-collection the Entra ID app will have to monitor. So is actual if each customer creates its own site-collection for synchronizable content only.
3. Users should not be involved into using developer tools, like sending POST requests through Postman or Graph Explorer.
4. Authorization flows which involve refreshing the received users' accessTokens are not allowed.

I am grateful for any information and ideas!

本文标签： microsoft graph apiHow to grant Entra ID application quotreadquot role for a DriveItemStack Overflow