Few years back, I released a “proof of concept” script that uses the Graph API endpoints to enumerate all shared files, across all user’s OneDrive for Business site collections within an organization. Due to some recent changes in the underlying Graph API endpoints, I have released an updated version of the script. This article goes over the changes, as I will likely forget about them 🙂
The aforementioned Graph API changes can be found here. In a nutshell, the permissions resource, which the script uses to determine whether a file is shared and who is it shared with, has been updated to provide some additional context. The grantedTo and grantedToIdentities properties the script used thus far will soon be deprecated, and replaced with the newly introduced grantedToV2 and grantedToIdentitiesV2, respectively. In most cases, a SharePointIdentity object will be returned now, which compared to the old identity one has some additional properties, such as the “claim” representing the object within SharePoint Online. The screenshot below shows a comparison between the values of grantedTo and grantedToV2 properties.
The changes in turn make it possible to return an unique identifier for the user, whereas previously the script had to return the ambiguous displayName value in some scenarios. Similarly, we will have the siteUser property with sharePointIdentity object value for the output of grantedToIdentitiesV2 as well.
I also took this opportunity to rework the authentication part of the script and get rid of the ADAL dependencies. The Renew-Token function has been updated to use direct HTTPS requests now, instead of the ADAL methods. As previously required, you still have to enter the tenantID, appID and client_secret values. If you prefer a different method, just replace this part of the script with your own code.
Here’s the link to the script: https://github.com/michevnew/PowerShell/blob/master/Graph_ODFB_shared_files.ps1
I am getting the following error.
VERBOSE: POST with -1-byte payload
VERBOSE: received 1624-byte response of content type application/json; charset=utf-8
Invoke-WebRequest : The remote server returned an error: (403) Forbidden.
At C:\Users\bills\Documents\script\Graph_ODFB_shared_files (2).ps1:223 char:21
+ … { $result = Invoke-WebRequest -Headers $AuthHeader -Uri $uri -Verbose …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Make sure you are running the script with the required permissions.
I am getting the same error message. I have assigned the application User.Read.All, Sites.ReadWrite.All, and Directory.Read.All. I initially had it as Sites.Read.All, which gave a different error message, but once corrected, it resulted in the same error as above. I also let it sit for a while so if anything needed to apply on the backend, but no luck. Maybe MS changes some things?
I have no trouble running the script. Double-check your permissions and make sure they are actually reflected in the token.