无法使用Microsoft Graph以全局管理员身份查询用户的OneDrive业务文件

Question

Logged in and authenticated as the Global Admin in O365 Enterprise subscription, I can query all users using Microsoft Graph. I can also query individual users with the User.Id .

But when I try to query the OneDrive files ( DriveItem ) for any user then I get an empty response and resource not found error. Same error when I use UserPrincipalName instead of Id .

sample request:

/v1.0/users/427d0a15-69db-4ab1-b7ae-542776ef53ed/drive/items

What is the call pattern for a Global Admin to query the drives/drive items of all users in the tenant?

I provided Admin Consent to the application already for these permissions:

public static string[] Scopes = {
    "Files.ReadWrite.All",
    "Sites.Read.All",
    "Sites.ReadWrite.All",
    "Sites.FullControl.All",
    "User.ReadWrite.All",
    "Directory.ReadWrite.All",
    "Directory.AccessAsUser.All"
};

I am using Delegated Permissions and requesting permissions at runtime via the code using PublicClientApplication class if that matters.

Update: I get the same "Resource Not Found" error when I call:

/v1.0/users/427d0a15-69db-4ab1-b7ae-542776ef53ed/drive/root/children

Source code:

IGraphServiceUsersCollectionPage usersCollection =
   await graphClient.Users.Request().GetAsync();

foreach (User user in usersCollection)
{
   IDriveItemChildrenCollectionPage childrenCollection =
    await graphClient.Users[user.Id].Drive.Root.Children.Request().GetAsync();
}

When the Foreach loop iterates first time, the first user is the logged in Global Admin and the call to Drive.Root.Children works correctly, but on consequent iterations for other users, an exception is thrown with error message:

{"Code: itemNotFound\\r\\nMessage: The resource could not be found.\\r\\n\\r\\nInner error\\r\\n"}

Answer 1

You cannot call [/drive/items][1] directly. You need to either provide a DriveItem.Id (ie /drive/items/{id} ) or a path (ie /drive/root/children ).

Try this instead:

/v1.0/users/427d0a15-69db-4ab1-b7ae-542776ef53ed/drive/root/children

Answer 2

After days of trial and error I found out a workaround to the problem which I will post as an answer to help people having similar issues. If a better solution is provided I will accept that answer, so the hunt is still on..

It turns out that the Global O365 Admin does not by default have access to view OneDrive Business folders and files of other users in the tenant.

What I had to do is:

1. Login as the Global Admin to O365 portal
2. Go to Admin Center > Users
3. For each User, expand OneDrive Settings and click on "Access files" This gives permissions to manage that user's OneDrive.

After doing this:

/v1.0/users/427d0a15-69db-4ab1-b7ae-542776ef53ed/drive/root/children

returns properly all children of that users drive items!

I said I will accept a better answer, so to define better:

1. An answer that shows how to do this by code

2. Or an answer that at least shows how to do this with less clicks. Imagine if the tenant has 100K users, the global admin has to click that Access Files button for 100K users one by one! (no bulk settings option available) That s not a great experience and not a practical solution.

Best answer would be: 1 + 2 :)

UPDATE: I found a better workaround, that is if I set the permissions in App Mod, as opposed to Delegated permissions/User Mod. Then the app has access to all users' drives/files in One Drive and there is no need for the global admin to provide himself the permissions as such. The enterprise admin would just need to give consent to the app only once in its lifetime in the enterprise tenant. With this update I will accept this answer.