Hello Jan C
To create an application that accesses and reads data from OneDrive in another tenant using the Microsoft Graph API without user interaction, you'll need to follow the client credential flow.
It appears that you have successfully registered an Azure AD app and obtained a client ID and client secret, and also confirmed the required scopes. Here, only application scopes are needed. (no delegated scopes)
The next step is to generate a consent URL for Tenant Y
your application will act on behalf of a tenant without a signed-in user. An administrator from the tenant Y must grant consent to your application to access their OneDrive data
Here is the format for the consent URL. The admin of Tenant Y should use this URL to grant consent to your app:
GET https://login.microsoftonline.com/{tenantY-Id}/adminconsent?
client_id=00001111-aaaa-2222-bbbb-3333cccc4444
&state=12345
&redirect_uri=http://localhost/myapp/permissions
Once this is successfully done, it will redirect to the redirect_url. Here is the format:
http://localhost/myapp/permissions?tenant=aaaabbbb-0000-cccc-1111-dddd2222eeee&state=state=12345&admin_consent=True
If admin_consent=True
, it means consent is successful.
For more details, refer to this link. https://video2.skills-academy.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#request-the-permissions-from-a-directory-admin
Now, you can query Tenant Y’s OneDrive data using the client credential flow.
If you wish to use the Python GraphClient, here is a sample for you:
class Graph:
settings: SectionProxy
client_credential: ClientSecretCredential
app_client: GraphServiceClient
def __init__(self, config: SectionProxy):
self.settings = config
client_id = self.settings['clientId']
tenant_id = self.settings['tenantId']
client_secret = self.settings['clientSecret']
self.client_credential = ClientSecretCredential(tenant_id, client_id, client_secret)
self.app_client = GraphServiceClient(self.client_credential) # type: ignore
async def get_app_only_token(self):
graph_scope = 'https://graph.microsoft.com/.default'
access_token = await self.client_credential.get_token(graph_scope)
return access_token.token
async def make_one_drive_graph_call(self):
# INSERT YOUR CODE HERE
return
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.