MS Graph, daemon app 401 unauthorized on Files.ReadWrite.All calls

Question

UPDATE: I've received notice from Microsoft that this problem is a bug in the Graph API. They're working on a solution.

I'm using the new v2.0 OAuth flow to authenticate my app for use with Microsoft Graph to make it able to list any users files, download and upload files in any users OneDrive and set permissions to files. This without the user being logged in, that is running it as a service account/daemon.

I've set up a new "Converged application" in the new Application Registration Portal. I've set all necessary scopes/application permission, including Files.ReadWrite.All. (I actually checked all possible boxes...). In the Microsoft Graph docs this should be the only scope necessary when calling the endpoints I'm interested in:

/v1.0/users/{userID}/drive
/v1.0/users/{userID}/drive/items/{ItemID}/children
/v1.0/users/{userID}/drive/items/{ItemID}/content
/v1.0/users/{userID}/drive/items/{ItemID}/invite
/v1.0/users/{userID}/drive/items/{ItemID}/createLink    

Then I've followed the documentation for the Client Credentials flow, including giving Admin Consent to the app for use in my company tenant.

I'm successfully receiving an access token. After receiving the access token I've double checked at jwt.io that the token actually contains all scopes (incl. Files.ReadWrite.All).

I'm able to use this access token to get any user's drive and list any users files (the first two endpoints listed above). I've also tried to get thumbnails of any users files which works fine. But as soon as I try to download a file, add permissions to a file or create a Sharing Link (the last three endpoints listed above), I receive an 401 Unauthorized error. From this, I assume the scope Files.Read.All works fine, but the scope Files.ReadWrite.All is not working.

As to what I can understand from the Scopes documentation, the scopes I'm trying to use should work. It the "App-only permissions requiring administrator's consent" section, it describes Files.ReadWrite.All as:

Allows the app to read, create, update and delete all files in all site collections without a signed in user.

I've hit a wall. Are there limitations to the new v2.0 OAuth token and/or Microsoft Graph regarding App-Only access that I'm missing?

Answer 1

Closing the loop for those who stumble on this question. There was an issue with Files.ReadWrite.All in App-Only scenarios when it came to uploading or changing permissions of a file.

The issue with downloading is unrelated. Authorization errors when downloading a file stem from passing an Authorization header in the download request. The `/content/ endpoint returns a URL that can be used to download the file. This is a pre-authorized URL that exists for a short period of time. Passing an Authorization header in that request results in an error since it doesn't expect to receive such a header, nor can it determine which credentials it should use (super-oversimplification but this the general idea).