1

This "drives" me crazy... I have an AAD app with following application permissions with Admin Consent:

  • Directory.Read.All
  • Files.ReadWrite.All
  • Group.Create
  • Group.ReadWrite.All
  • GroupMember.ReadWrite.All
  • Member.Read.Hidden
  • Organization.ReadWrite.All
  • People.Read.All
  • Sites.FullControl.All
  • Sites.ReadWrite.All
  • User.Read

Request:

https://graph.microsoft.com/v1.0/groups/{id}/drive/root

Response:

{
  "error": {
    "code": "serviceNotAvailable",
    "message": "The service is not available. Try the request again after a delay. There may be a Retry-After header.",
    "innerError": {
      "request-id": "5ad04144-d8af-48ef-b9d3-43dafedb5911",
      "date": "2020-02-15T13:28:08"
    }
  }
}

Decoded Token:

tokenimage

There's no Retry header and I've tried for several hours now.

If I send the query using a token generated with Authorization Code grant and the scope Group.ReadWrite.All User.Read profile openid email, it works like a charm.

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
Daniel Pfäffli
  • 13
  • 3
  • How are you obtaining the token (you cannot have both Application and Delegated scopes within a single token)? – Marc LaFleur Feb 18 '20 at 22:37
  • hi marc, for sure that's not possible. App permissions is granttype clientcredentials with scope https://graph.microsoft.com/.default delegated is granttype auth_code with scope "Group.ReadWrite.All User.Read profile openid email" – Daniel Pfäffli Feb 19 '20 at 16:18
  • Are you able to upload/download items to this Group's Drive using the UI? – Marc LaFleur Feb 19 '20 at 19:54
  • yes. Even graph calls working properly as soon as i'm connection with a token generated with user context.... – Daniel Pfäffli Feb 20 '20 at 08:27
  • funny stuff if i query for group metadata i'll get a response https://graph.microsoft.com/v1.0/groups/76483fab-f9be-4efa-b5a9-xxxxxxxxxx/ repsonse: { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups/$entity", "id": "76483fab-f9be-4efa-b5a9-xxxxxxxxxx", "deletedDateTime": null, "classification": null, "createdDateTime": "2020-02-16T21:12:22Z", "creationOptions": [ "Team", "ExchangeProvisioningFlags:3552" ], "description": "Teams Rollout", – Daniel Pfäffli Feb 20 '20 at 08:38
  • According to the docs, you need `Mail.ReadWrite` permission for this. Could you confirm that is being assigned in the token you're getting? – Marc LaFleur Feb 20 '20 at 19:01
  • i've just updated the initial post with a screenshot from the claims of the token. yes, Mail.ReadWrite is there.... – Daniel Pfäffli Feb 21 '20 at 08:46
  • anyone an idea? im really stuck... – Daniel Pfäffli Mar 03 '20 at 13:39
  • Do you get the same result if your request `/drive` (no root) or `/drive/root/children`? – Marc LaFleur Mar 07 '20 at 02:31

0 Answers0