Permission denied for guest users with Search API

[EinmalIM]

We cannot use the Graph search API in SharePoint sites when logged on with a guest account.

[x] bug

Using the Graph Search API (https://graph.microsoft.com/v1.0/search/query) with internal users works as expected.

Executing the same query with a guest user results in http 403 with this response body:

"error": { "code": "Forbidden", "message": "The service is not authorized for provided user credentials", "target": "", "httpCode": 403 }

We tested with Sites.Read.All, Sites.ReadWrite.All and Sites.FullControl.All - always the same 403.

External sharing is enabled for anyone in the sites collections with used for testing.

We found this closed issue which ends without a solution: https://github.com/OneDrive/onedrive-api-docs/issues/1039

Expected or Desired Behavior

We expect that guest users can use the Graph Search API

Observed Behavior

Guest users receive http 403 forbissen, when they use the Graph Search API

{ "error": { "code": "Forbidden", "message": "The service is not authorized for provided user credentials", "target": "", "httpCode": 403 }, "Instrumentation": { "TraceId": "fc9aa73d-57a9-d86c-6007-abdf6535959f" } }

utc time 13:06

Steps to Reproduce

We can reproduce this with Graph Explorer.

To login with a guest account make sure to add the target tenant as a query param in the Graph Explorer URL, like so:

https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=SOMETENANT.onmicrosoft.com

Login with a guest account. Consent Sites.Read.All Make sure the guest user has access to at least one site collection

POST v1.0 to https://graph.microsoft.com/v1.0/search/query

{ "requests": [ { "entityTypes": [ "list" ], "query": { "queryString": "Vertrag" } } ] }

Results in 403