Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.1k views
in Technique[技术] by (71.8m points)

office365 - Problems with Microsoft Graph - DriveItem Add Permission

I'm trying to Share Files on a SharePoint Document Library that I have as a part of an Office 365 Developer Program instance.

My AD has a variety of users, some "native" users created in the AD manually and the rest are "guests" from different domains that my team and I work for.

I'm executing the following API request on the graph via code using NestJs (as per snippet). I've all the required Delegated Permissions in the Application Registration to do everything too.

REST View:

POST /drives/{drive-id}/items/{item-id}/invite

{ "requireSignIn": true, "sendInvitation": false, "roles": [ "sp.full control" ], "recipients": [ { "email": "xxx.xxx@xxx.com" } ] }

Code View:

    //build list of all to add: PL, PLB, Main, Current User and whatever is added in DTO
    const participantsToAdd = [project.projectLead]
      .concat(project.projectLeadBackup)
      .concat(project.participants.filter(p => newRoles.includes(p.participantRole.name)).map(p => p.user))      
      .map(u => ({
        oid: u.microsoftId,
        mail: u.mail,
      }));

    const permission = {
      recipients: participantsToAdd.map(p => ({ email: p.mail })),      
      requireSignIn: true,
      sendInvitation: false,
      roles: ['sp.full control'],
    };

    // add the right permissions to the file    
    const result = await client.api(`/drives/${this.libraryId}/items/${fileId}/invite`).post(permission);

The above code is building up a list of "User" objects which contain an "oid" which I use later, and a "mail" object. I give these users "sp.full control" role on a file. Some are granted direct access and others are given links (grantedToIndentities) with write permissions.

This only seems to be happening when Guests on the active directory make the request; though it's only occurring for some guests. Two guest users in particular that I grant access to are fine, they get "Direct Access". Others go into the "link sharing" category. I don't see any differences in the users in AD anywhere.

I've tried looking through all admin sites (SharePoint, M365) and tweaked External Sharing permissions but the problem still persists.

When I invoke the action from a "native" user on AD to the Graph using the same request, it all works fine. All users (native and guests) are added with "direct access".

Can anyone share any thoughts? Hope I've given enough info.

Snippet from Graph response: Image

question from:https://stackoverflow.com/questions/65907239/problems-with-microsoft-graph-driveitem-add-permission

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I hope this helps someone but when I exclusively use the "User Principal Name" of the user instead of the "Email" in the Graph request everything is fine, for both types of user "Members" and "Guests".

Example:

const permission = {
      recipients: [{email: 'first.last_extdomain.com#EXT#@domain.onmicrosoft.com'}],      
      requireSignIn: true,
      sendInvitation: false,
      roles: ['sp.full control'],
    };    

// add the right permissions to the file    
const result = await client.api(`/drives/${this.libraryId}/items/${fileId}/invite`).post(permission);

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...