12

I am tenant admin for our Office 365 deployment. we have our internal system which need to access all OneDrive sites. We are using my tenant admin credential to get the OAuth token and trying to get files from all OneDrive sites using SharePoint/OneDrive REST API with that OAuth token.

With OAuth token of the tenant admin, we are only able to get the files owned by tenant admin or Shared with tenant admin. we are not able to get the files form other user's OneDrive.

Same result with Microsoft Graph API also. we are only able to get the files owned by tenant admin or Shared with tenant admin. we are not able to get the files form other user's OneDrive.

One Solution for this could be by adding tenant admin to the site collection admin for all OneDrive Sites, but this is not a feasible option for us.

Is there any API, or any other way to get all OneDrive user's file by using OneDrive admin or tenant admin credential ?

Thanks, Abhi

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
user2768967
  • 367
  • 1
  • 4
  • 18
  • I think this answer and its comments will help you http://stackoverflow.com/questions/33755470/onedrive-for-business-api-daemon-tenant-with-app-only-token . It basically says that your app should have the "Read and write items in all site collections" permission, after which you can use API-specific ways to access files of other users. In OneDrive, you can use the `https://{tenant}-my.sharepoint.com/_api/v2.0/drives/{user email}` url prefix to access user data, in SharePoint you can use the `https://{tenant}-my.sharepoint.com/personal/{user specific part}/_api/web/` – dtheodor Jan 09 '17 at 09:26
  • Have you checked by filling the manager attribute for intended users? the one who falls under "managed by" attribute will have access even after that user leaves... – Rayhan Rizmi Aug 10 '19 at 19:13

1 Answers1

1

You can do this using either Delegated or Application permissions. Which one you choose depends on how your application will run and the OAUTH Grant Flow you're using.

If your application runs with an interactive user (i.e. you're sitting in front of it while it runs), then you want to use Delegated permissions and the Authorization Code Grant Flow.

If your application runs as a service (i.e. it runs in the background) then you'll want to use Application permissions and the Client Credentials Grant Flow.

Regardless of the permission model you choose, the permission scopes and endpoints will remain the same.

You'll need one of the following permission scopes in order to access other user's files within the tenant: Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All.

In order to see another user's files, you need to address that user's drive directly. This is done via the user's userPrincipalName. For example, to see files in the root of a user's drive you would call:

 https://graph.microsoft.com/v1.0/users/{userPrincipalName}/drive/root/children

Hope this helps.

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63