office365 - Problems with Microsoft Graph - DriveItem Add Permission

Question

I'm trying to Share Files on a SharePoint Document Library that I have as a part of an Office 365 Developer Program instance.

My AD has a variety of users, some "native" users created in the AD manually and the rest are "guests" from different domains that my team and I work for.

I'm executing the following API request on the graph via code using NestJs (as per snippet). I've all the required Delegated Permissions in the Application Registration to do everything too.

REST View:

POST /drives/{drive-id}/items/{item-id}/invite

{ "requireSignIn": true, "sendInvitation": false, "roles": [ "sp.full control" ], "recipients": [ { "email": "[email protected]" } ] }

Code View:

    //build list of all to add: PL, PLB, Main, Current User and whatever is added in DTO
    const participantsToAdd = [project.projectLead]
      .concat(project.projectLeadBackup)
      .concat(project.participants.filter(p => newRoles.includes(p.participantRole.name)).map(p => p.user))      
      .map(u => ({
        oid: u.microsoftId,
        mail: u.mail,
      }));

    const permission = {
      recipients: participantsToAdd.map(p => ({ email: p.mail })),      
      requireSignIn: true,
      sendInvitation: false,
      roles: ['sp.full control'],
    };

    // add the right permissions to the file    
    const result = await client.api(`/drives/${this.libraryId}/items/${fileId}/invite`).post(permission);

The above code is building up a list of "User" objects which contain an "oid" which I use later, and a "mail" object. I give these users "sp.full control" role on a file. Some are granted direct access and others are given links (grantedToIndentities) with write permissions.

This only seems to be happening when Guests on the active directory make the request; though it's only occurring for some guests. Two guest users in particular that I grant access to are fine, they get "Direct Access". Others go into the "link sharing" category. I don't see any differences in the users in AD anywhere.

I've tried looking through all admin sites (SharePoint, M365) and tweaked External Sharing permissions but the problem still persists.

When I invoke the action from a "native" user on AD to the Graph using the same request, it all works fine. All users (native and guests) are added with "direct access".

Can anyone share any thoughts? Hope I've given enough info.

Snippet from Graph response: Image

question from:https://stackoverflow.com/questions/65907239/problems-with-microsoft-graph-driveitem-add-permission

Answer 1

I hope this helps someone but when I exclusively use the "User Principal Name" of the user instead of the "Email" in the Graph request everything is fine, for both types of user "Members" and "Guests".

Example:

const permission = {
      recipients: [{email: 'first.last_extdomain.com#EXT#@domain.onmicrosoft.com'}],      
      requireSignIn: true,
      sendInvitation: false,
      roles: ['sp.full control'],
    };    

// add the right permissions to the file    
const result = await client.api(`/drives/${this.libraryId}/items/${fileId}/invite`).post(permission);