1

Trying to perform a search action on a Drive with a Client Credentials (App) token, like with the following URL:

https://graph.microsoft.com/v1.0/groups/{GROUP_ID}/drive/root/search(q='newFileTest.docx')

... results in a 403 error:

{
    "error": {
        "code": "accessDenied",
        "message": "The caller does not have permission to perform the action.",
        "innerError": {
            "request-id": "**redacted**",
            "date": "2019-04-17T12:47:10"
        }
    }
}

The client has the Files.ReadWrite.All permisson, which is necessary to be able to execute a search query, and can read/write folders and files without any issues.

Executing the same command with Delegated Auth (so with a logged-in user, e.g. the Microsoft Graph Explorer) works, but returns 0 results (see this bug for details).

This seems like a bug to me, but would be happy to hear if someone thinks it's not.

Dennis Ameling
  • 707
  • 7
  • 15

1 Answers1

1

Turns out that for Search to work with Client Credentials, the application needs to have the Sites.ReadWrite.All permission. The Files.ReadWrite.All permission is not enough, even though the documentation mentions "One of the following permissions is required to call this API". Filed a Microsoft Docs GitHub issue.

Dennis Ameling
  • 707
  • 7
  • 15