Does anyone know if I can have a single one drive folder and then assign via the API different people, and then they would see only the folders that they are allowed to see.
I am trying to re-create the "views" functionality of dropbox enterprise
Yes, the simplest way to do so is to use the Microsoft Graph API which has an entire set of endpoints that work with a OneDrive account.
The endpoints that will best serve you are the Create Sharing Link and the Add Permission.
Note: Using the sharing link that doesn't require account authentication means anyone with that link can access the OneDrive folder/file that it is assigned to. If the user(s) have Microsoft Accounts or Microsoft Organizational Accounts (also known as work/school account) then the Add Permission endpoint is likely your best bet.
Related
I'll try to be as brief and comprehensive as I can.
Objective: To be able to upload PDF files generated after filling an HTML form to my personal OneDrive.
I have been looking into this for a few days now and cannot for the life of me figure out the proper way to set up the app and permissions in the Azure portal for this to work. I was initially using the Personal Microsoft accounts only option but quickly realized that would mean having to sign in. Then I tried the Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) option. So this seemed to be a step in the right direction as the end-user does not need to do anything. I could use Application Permissions which would work without a signed-in user. That is basically what I want.
This lead to another issue, Tenant does not have a SPO license. After looking up more, it seems that to use the OneDrive APIs, you need to have a subscription. Like I mentioned, I am using a personal account (free).
I also tried daemon (since I can use application permissions and work without a user signed in). But based on the Microsoft Graph Get Files Permissions, Only Delegated permission is supported for personal Microsoft account.
I am trying to achieve this through PHP and using the libraries that are recommended everywhere. I honestly think that I am finding this much more complicated than it really is but I really can't figure out where I'm going wrong.
In conclusions, I can't answer these questions:
Can a personal free account (with student subscription or not) be used to access OneDrive?
If so, what supported account type is ideal for this?
And finally, is there anywhere I can follow to do this?
P.S. I have tried a lot more things I mentioned here, so in case anyone thinks of something I should have done, ask me and I'll update you.
You have tried many and got many correct conclusions.
To make a personal account access the personal OneDrive, you have to use delegated permission. Application permission is not supported in this scene.
I know your requirement is not to sign in interactively. Unfortunately it's not supported to use ROPC flow for personal accounts.
So the only option is to use auth code flow or implicit grant flow. Both of them require you to sign in interactively.
In summary, uploading files to personal OneDrive using non-interactive login is not supported.
This seems like a simple question but I'm struggling to find an answer anywhere. Help! ;-)
I'm trying to use Microsoft Graph to read SharePoint lists/libraries in a SharePoint site, however this is just for one site (for our department) amongst many on our SharePoint online. I've registered an Azure AD app (with secret etc...) and requested 'application' permissions for the Microsoft Graph ('Create, edit, and delete items and lists in all site collections') and its saying 'admin consent required' is 'yes' and its currently flagged as 'not granted for *****'.
My boss is now asking - with a worried tone ;-)
will this mean the app can basically read/write/delete on all sites in
the organisations SharePoint (not just our site) if our IT department
'consent'?
I said I don't know actually... I guess I'm not entirely clear on which permissions this is for, is it just to call the Microsoft Graph API or is it for this app to access SharePoint itself? I've searched for answers to this but I'm struggling to find anywhere that says anything about giving your app permissions in SharePoint, it all seems to be about getting permissions for the Microsoft Graph to access SharePoint.
I just want the app to have permissions to read/write lists/files in this one SharePoint site, not any others (we have loads of sites for other departments). I feel like we should be adding permissions for this app (its service principal?) somewhere on the SharePoint site we want to access, but what permissions do I need to setup and where so this app can only access this one site?
Azure AD app registration now allows for granular access to SharePoint site collection, there is a new option Sites.Selected under Azure AD App Registration - Request API Permissions - refer to https://developer.microsoft.com/en-us/graph/blogs/controlling-app-access-on-specific-sharepoint-site-collections/
Unfortunately, this feature is still missing. It is not possible to limit the permissions to only one SharePoint site. It's either access to all SharePoint sites in the organisation or none. Check out the user vote for more information: here. Microsoft is still working on providing a way to limit the access to specific resources.
How can i restrict users access to their OneDrive account in office365 without disabling license?
You could use Conditional Access to disable access to OneDrive for everyone who is not a member of a certain security group.
From an implementation standpoint I would not recommend this approach though as your users will still see OneDrive and SharePoint in all their apps and webportal, but get an error when they are trying to connect. Which will likely confuse them.
While you say you don't want to disable the licenses, you could use group based licensing in Azure AD. This not only allows you to assign licenses to users based on group memberships automatically, but also select which features of a given license should be enabled for members of this group.
When a user needs a license simply switch from one group with OneDrive Disabled to the other with OneDrive enabled. This will give your users a better experience until you actually enable OneDrive for them.
I have the app that uses OneDrive API (MS graph) to access OneDrive free accounts and OneDrive for business.
The app works fine.
In docs of the API i can see same API can be used also to access Sharepoint Online sites data.
How to do this? When i auth a user who has Sharepoint Online account with MS graph, there is only his drive (ondrive) but there is no his site listed.
How to get access to his sharepoint site too using same API?
I have found how to work with sites using the Graph API.
To get list of sites there is the call
GET /v1.0/sites/
Then use the SITEID to get list of drives (in fact, top level folders)
GET /v1.0/sites/SITEID/drives
Then to get contents of a drive user
GET /v1.0/sites/SITEID/drives/DRIVEID/root/children
And all next calls are same as for onedrive drive
However, there is the problem i still can not solve. How to create new top level folder (new drive on a site). There is no API call for this
I believe what you are looking for is the sites API. It lets you interact with a SharePoint site if you know the path or the id of the site. You can find the documentation for the api here:
https://dev.onedrive.com/resources/site.htm
There is no easy way to discover sites as of now. You can however search for a site. You can read more about it here:
https://dev.onedrive.com/sites/search.htm
This endpoint to get the list of sites is not working, so the last answer is not valid anymore.
https://graph.microsoft.com/v1.0/sites
I haven't found a way to do this, the discovery of sites, without admin consent. If the admin consent flow is not a problem you can try this workaround, use the endpoint of groups to ask for the groups that the user is member of, and you can use the groups to get the document libraries of the user.
To get the groups:
GET https://graph.microsoft.com/v1.0/me/memberOf
With the group id, you can use this endpoint:
GET https://graph.microsoft.com/v1.0/groups/{group-id}/drive
So if someone know how to do the discovery of sites for a user without admin consent, please share.
EDIT: I'm not sure why my answer was deleted, my answer basically has 2 things:
I gave notice that one answer here is not valid anymore.
I gave a possible other solution to the problem.
If I create a blueprint at apiary.io, then grant Editor rights to a few other folks, is there any lingering specialness about "me"?
If so, how can I figure out who "owns" the bp?
In particular, I have created Apiary accounts for several email addresses, and made them all editors. I'm now trying to use the CLI (github: apiaryio/apiary-client). It tells me "403 Forbidden" when I use a token generated (at login.apiary.io/tokens) for several "Editor" accounts. How can I pick the "true owner" account (which, obviously, I've forgot) to try the CLI against?
You can find the owner name in the documentation header on the left, under the API Project name.
For team APIs, that would be the team name, for personal APIs, it's the name of the user.
To answer your initial question, the owner can access and change the API Settings (e.g. change API Project visibility, connect the API Project to GitHub, etc.). Additionaly, if the owner is a member of a team, they can transfer ownership of their personal API Project to the team.