f:: OneDrive
- Microsoft Graph Dev Center | APIs and app development
- Graph Explorer | Try Microsoft Graph APIs - Microsoft Graph
Permissions
Permission types
Delegated permissions
Delegated permissions, also called scopes, are used in the delegated access scenario. They’re permissions that allow the application to act on behalf of a signed-in user. However, the application will never be able to access anything the signed-in user couldn’t access.
Application permissions
Application permissions, also called app roles, are used in the app-only access scenario, without a signed-in user present. The application will be able to access any data that the permission is associated with. For example, an application granted the Files.Read.All application permission will be able to read any file in the organization.
For apps that access resources and APIs without a signed-in user, the application permissions can be consented to by an administrator when the app is installed in the tenant or through the Microsoft Entra admin center. Only an administrator can consent to application permissions.
Comparison of delegated and application permissions
| Delegated permissions | Application permissions | |
|---|---|---|
| Types of apps | Web app / Mobile / Single-page app (SPA) | Web / Daemon |
| Access context | Get access on behalf of a user | Get access without a user |
| Who can consent | - Users can consent for their data - Admins can consent for all users | Only admin can consent |
| Other names | - Scopes - OAuth2 permissions | - App roles - App-only permissions - Direct access permissions |
| Result of consent | oAuth2PermissionGrant | appRoleAssignment |
| Supported signInAudience types | AzureADMyOrg AzureADMultipleOrgs AzureADandPersonalMicrosoftAccount PersonalMicrosoftAccount | AzureADMyOrg AzureADMultipleOrgs AzureADandPersonalMicrosoftAccount |
Best practices for using Microsoft Graph permissions
Microsoft Graph exposes granular permissions that allow an app to request only the permissions it requires to function. Granular permissions allow you to apply the principle of least privilege when assigning and granting permissions to an app, by granting the app the minimum permission it needs for the operation.
Granting an application more privileges than it needs is a poor security practice that exposes an app to unauthorized and unintended access to data or operations. Also, requesting more permissions than necessary may cause users to refrain from consenting to an app, affecting an app’s adoption and usage.
Apply the principle of least privilege when assigning and granting Microsoft Graph permissions to an app. For more information, see Enhance security with the principle of least privilege and Building apps that secure identity through permissions and consent.
Files
You can use Microsoft Graph to create an app that connects with files across OneDrive, OneDrive for Business, and SharePoint document libraries. With Microsoft Graph, you can build a variety of experiences with files stored in Microsoft 365, from simply storing user documents to complex file-sharing scenarios.
Microsoft Graph exposes two resource types for working with files:
- Drive - Represents a logical container of files, like a document library or a user’s OneDrive.
- DriveItem - Represents an item within a drive, like a document, photo, video, or folder.
Upload
The simple upload API allows you to provide the contents of a new file or update the contents of an existing file in a single API call. This method only supports files up to 4MB in size.
To upload a new file
PUT /drives/{drive-id}/items/{parent-id}:/{filename}:/contentTo replace an existing item
PUT /drives/{drive-id}/items/{item-id}/contentResumable Upload
Create an upload session to allow your app to upload files up to the maximum file size. An upload session allows your app to upload ranges of the file in sequential API requests, which allows the transfer to be resumed if a connection is dropped while the upload is in progress.
To upload a file using an upload session, there are two steps:
POST /drives/{driveId}/items/{itemId}/createUploadSessionThe response to this request, if successful, will provide the details for where the remainder of the requests should be sent as an UploadSession resource.
This resource provides details about where the byte range of the file should be uploaded and when the upload session expires.
Create sharing link
You can use createLink action to share a DriveItem via a sharing link.
The createLink action will create a new sharing link if the specified link type doesn’t already exist for the calling application. If a sharing link of the specified type already exists for the app, the existing sharing link will be returned.
DriveItem resources inherit sharing permissions from their ancestors.
POST /drives/{driveId}/items/{itemId}/createLinkRequest body
The body of the request defines properties of the sharing link your application is requesting. The request should be a JSON object with the following properties.
| Name | Type | Description |
|---|---|---|
| type | string | The type of sharing link to create. Either view, edit, or embed. |
| password | string | The password of the sharing link that is set by the creator. Optional and OneDrive Personal only. |
| expirationDateTime | string | A String with format of yyyy-MM-ddTHH:mm:ssZ of DateTime indicates the expiration time of the permission. |
| retainInheritedPermissions | Boolean | Optional. If true (default), any existing inherited permissions are retained on the shared item when sharing this item for the first time. If false, all existing permissions are removed when sharing for the first time. |
| scope | string | Optional. The scope of link to create. Either anonymous, organization, or users. |
Link types
The following values are allowed for the type parameter.
| Type value | Description |
|---|---|
view | Creates a read-only link to the DriveItem. |
edit | Creates a read-write link to the DriveItem. |
embed | Creates an embeddable link to the DriveItem. This option is only available for files in OneDrive personal. |
Scope types
The following values are allowed for the scope parameter. If the scope parameter is not specified, the default link type for the organization is created.
| Value | Description |
|---|---|
anonymous | Anyone with the link has access, without needing to sign in. This may include people outside of your organization. Anonymous link support may be disabled by an administrator. |
organization | Anyone signed into your organization (tenant) can use the link to get access. Only available in OneDrive for Business and SharePoint. |
users | Share only with people you choose inside or outside the organization. |
- Links created using this action do not expire unless a default expiration policy is enforced for the organization.
Download file
Download the contents of the primary stream (file) of a driveItem. Only driveItems with the file property can be downloaded.
GET /drives/{drive-id}/items/{item-id}/content