Share via

Getting 403 Access Denied for /drvies/{driveId}?$select=sharepointIds for getting the siteurl for the drive

Yemi Shin 0 Reputation points Microsoft Employee
2025-06-11T17:37:02.7433333+00:00

I have gotten a Graph token with the following permissions:

AuditLog.Read.All Directory.AccessAsUser.All email Group.ReadWrite.All openid profile User.ReadWrite.All

(taken from decoding the token)

Then I sent a GET request to:
https://graph.microsoft.com/v1.0/drives/b!lRZQfeTZQ0C9IoRwG5pqAiArSWyR8NpBioqVzLj3MG9F-3RQf0crQokI7f1IpihS?%24select=sharepointIds

and I know I have access to this drive because it is the drive that my Copilot Notebook is saved to (I got this driveId from the Notebook metadata payload).

But when I send the request I get a 403 forbidden error:

{
    "error": {
        "code": "accessDenied",
        "message": "Access denied",
        "innerError": {
            "date": "2025-06-11T17:31:43",
            "request-id": "b7070808-346a-4220-98b9-f7659aa1bccc",
            "client-request-id": "6dae9add-dbf8-9cad-a6ce-d6e2f40a1e27"
        }
    }
}

Could you help debug this issue? Thank you!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,697 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. PRATIK JADHAV 165 Reputation points Microsoft External Staff Moderator
    2025-06-13T11:38:23.2633333+00:00

    Hello @Yemi Shin

    The error message access denied of code 403 you are getting because, your access token doesn't contain sufficient API permission to list the sharepointId of your drive.

    I got the same error message:

    User's image

    To resolve this error, you need to add at least delegated type Files.Read.All permission or higher privileged permission like Sites.Read.All to your registered application and generate the access token. For more details Refer this MsDoc.

    User's image

    For delegated type permission, you can use authorization_code flow which requires user-interaction. To get code, I ran below authorization request in browser: 

    
https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize?  

client_id=<application-id of your registered application> 

&response_type=code  

&redirect_uri=https://jwt.ms

&response_mode=query  

&scope=https://graph.microsoft.com/Files.Read.All

&state=12345

    enter image description here

    After successfully creating authorization_code, Generated access token using below parameters:

    
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

Content-Type: application/x-www-form-urlencoded

client_id: <application-id>

client_secret: <client-secret>

scope: https://graph.microsoft.com/Files.Read.All

grant_type: authorization_code

code: <authorization_code generated from browser>

redirect_uri: <REDIRECT_URI>

    Response:
    User's image

    Ensure your generated access token should contains scp: Files.Read.All , when you decode your token on https://jwt.ms

    User's image

    Now, for listing the sharePointIds of your drive:

    
GET https://graph.microsoft.com/v1.0/drives/<drive-id>?&$select=sharePointIds

    Response:

    User's image

    If you are using Microsoft Graph Explorer, need to add permission of Files.Read.All in Modify permission tab by adding consent:

    User's image

    Use same query:

    
GET https://graph.microsoft.com/v1.0/drives/<drive-id>?&$select=sharePointIds

    User's image

    Reference:

    Get-Drive

    I hope this helps you!

    If this answer was helpful to you, please click "Accept Answer" and mark Yes to help other community members.

    User's image

    If you have more questions or are still experiencing issues, feel free to ask in the "comments" section and I’ll be happy to assist you.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.