Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OneDrive for Business auth error #11

Open
JerryFake opened this issue Jan 3, 2022 · 24 comments
Open

OneDrive for Business auth error #11

JerryFake opened this issue Jan 3, 2022 · 24 comments

Comments

@JerryFake
Copy link

JerryFake commented Jan 3, 2022

It seem that there is an error about Onedrive for business authorization.

GET https://graph.microsoft.com/v1.0/drive/special/approot/children 403 (Forbidden)
Uncaught (in promise) Error: Access denied
    at Function.constructErrorFromResponse (eval at <anonymous> (app.js:1), <anonymous>:164:52791)
    at Function.eval (eval at <anonymous> (app.js:1), <anonymous>:164:53055)
    at Generator.next (<anonymous>)
    at eval (eval at <anonymous> (app.js:1), <anonymous>:130:1278)
    at new Promise (<anonymous>)
    at s (eval at <anonymous> (app.js:1), <anonymous>:130:1023)
    at Function.getError (eval at <anonymous> (app.js:1), <anonymous>:164:52996)
    at Ni.eval (eval at <anonymous> (app.js:1), <anonymous>:164:56990)
    at Generator.throw (<anonymous>)
    at s (eval at <anonymous> (app.js:1), <anonymous>:130:1131)

And sorry I type the wrong word "Onedive"

@NJCBY
Copy link

NJCBY commented Jan 3, 2022

I also use onedrive to sync. There is no error.

@fyears fyears changed the title Onedive auth error OneDrive for Business auth error Jan 3, 2022
@JerryFake
Copy link
Author

I also use onedrive to sync. There is no error.

I know. But I have an E5 Microsoft Developer account and what I use is Onedrive for Business not the Onedrive for Personal.

@NJCBY
Copy link

NJCBY commented Jan 3, 2022

E5 maybe not useful.I used joplin before,it support many drive to sync but e5 is not useful.If you are admin ,it maybe work,but i dont test it

@fyears
Copy link
Member

fyears commented Jan 3, 2022

Thank you for your report.

One possibility is that your business account doesn’t allow this plugin’s oauth2 sign in (A consent from admin needed). Another possibility is that the plugin uses more secure App Folder feature which is a beta api by MSFT and not implemented on for Business account. Of course there are other possibilities that I am not aware of.

However, I don’t have any OneDrive for Business account, so I cannot do any further investigation. I will add a comment that the function is only tested working on personal accounts (something like *@outlook.com or *@live.com).

@fyears fyears closed this as completed Jan 3, 2022
@JerryFake
Copy link
Author

Thank you for your report.

One possibility is that your business account doesn’t allow this plugin’s oauth2 sign in (A consent from admin needed). Another possibility is that the plugin uses more secure App Folder feature which is a beta api by MSFT and not implemented on for Business account. Of course there are other possibilities that I am not aware of.

However, I don’t have any OneDrive for Business account, so I cannot do any further investigation. I will add a comment that the function is only tested working on personal accounts (something like *@outlook.com or *@live.com).

I can offer my E5 account and I am the admin. Do you have a try to solve it?

@fyears
Copy link
Member

fyears commented Jan 3, 2022

Firstly, thank you, but I do NOT need your account.

I have checked out the docs of OneDrive for business, and maybe it's possible to add some supports. So I reopen the issue to remind me of the optimizations in the future (when I have more free time...). But it will not be implemented in these days, sorry.

@fyears fyears reopened this Jan 3, 2022
@JerryFake
Copy link
Author

Firstly, thank you, but I do NOT need your account.

I have checked out the docs of OneDrive for business, and maybe it's possible to add some supports. So I reopen the issue to remind me of the optimizations in the future (when I have more free time...). But it will not be implemented in these days, sorry.

@JerryFake JerryFake reopened this Jan 3, 2022
@JerryFake
Copy link
Author

Firstly, thank you, but I do NOT need your account.
I have checked out the docs of OneDrive for business, and maybe it's possible to add some supports. So I reopen the issue to remind me of the optimizations in the future (when I have more free time...). But it will not be implemented in these days, sorry.

I get it.

@PassionPenguin
Copy link
Contributor

PassionPenguin commented Nov 8, 2022

@fyears thx for your development after all, what i found this time is that after granting admin consent for the account added the remotely-save application, it's running without any exception.

that's is, you may need admin consent before authenticating by an admin user via azure active directory.

首先非常感谢你对这个插件的开发。

我尝试了一下,在 grant consent to 登录并添加插件的那个账号之后,一切都可以正常运作。

(可能需要管理员权限,没有添加任何额外权限。也就是说,如果要使用这个插件,可能需要管理员在 AAD 上面授权)

图一:Application Overview

图二:Application Consent & Permissions

@sometimes-naaive @hi-yiyang @JerryFake

@PassionPenguin
Copy link
Contributor

Currently it works well under the admin consent.

image

@CDOccc
Copy link

CDOccc commented Nov 9, 2022

image

image

感谢,已经连接上去了

@PassionPenguin
Copy link
Contributor

PassionPenguin commented Nov 9, 2022

感谢,已经连接上去了

Noted that if you are an E5 developer account user, it's highly recommended to cover your admin name or account name in case any malicious email attack takes place.

@CDOccc
Copy link

CDOccc commented Nov 9, 2022

msedge_MJ1sMRZtmS image
感谢,已经连接上去了

Noted that if you are an E5 developer account user, it's highly recommended to cover your admin name or account name in case any malicious email attack takes place.

感谢提醒,已经打码了,不过你引用的回复好像不会更新图片

@SkysCrystal
Copy link

@fyears thx for your development after all, what i found this time is that after granting admin consent for the account added the remotely-save application, it's running without any exception.

that's is, you may need admin consent before authenticating by an admin user via azure active directory.

首先非常感谢你对这个插件的开发。

我尝试了一下,在 grant consent to 登录并添加插件的那个账号之后,一切都可以正常运作。

(可能需要管理员权限,没有添加任何额外权限。也就是说,如果要使用这个插件,可能需要管理员在 AAD 上面授权)

图一:Application Overview

图二:Application Consent & Permissions

@sometimes-naaive @hi-yiyang @JerryFake

感谢讨论、分享,我也成功连接 E5 onedrive 了。
但我有个问题,同步文件存储在 onedrive 的哪里?在个人 Onedrive 连接 remotely-save 后会在根目录下创建 应用/remotely-save 文件夹。我找了 E5账号 onedrive 空间里都没有新建的文件夹。

我想找到 E5 里头的这个文件夹方便之后备份。

@PassionPenguin
Copy link
Contributor

@fyears thx for your development after all, what i found this time is that after granting admin consent for the account added the remotely-save application, it's running without any exception.
that's is, you may need admin consent before authenticating by an admin user via azure active directory.
首先非常感谢你对这个插件的开发。
我尝试了一下,在 grant consent to 登录并添加插件的那个账号之后,一切都可以正常运作。
(可能需要管理员权限,没有添加任何额外权限。也就是说,如果要使用这个插件,可能需要管理员在 AAD 上面授权)
图一:Application Overview
图二:Application Consent & Permissions
@sometimes-naaive @hi-yiyang @JerryFake

感谢讨论、分享,我也成功连接 E5 onedrive 了。 但我有个问题,同步文件存储在 onedrive 的哪里?在个人 Onedrive 连接 remotely-save 后会在根目录下创建 应用/remotely-save 文件夹。我找了 E5账号 onedrive 空间里都没有新建的文件夹。

我想找到 E5 里头的这个文件夹方便之后备份。

TBH, I just put the vault inside the drive, thus after syncing it's still there

@PassionPenguin
Copy link
Contributor

@fyears thx for your development after all, what i found this time is that after granting admin consent for the account added the remotely-save application, it's running without any exception.
that's is, you may need admin consent before authenticating by an admin user via azure active directory.
首先非常感谢你对这个插件的开发。
我尝试了一下,在 grant consent to 登录并添加插件的那个账号之后,一切都可以正常运作。
(可能需要管理员权限,没有添加任何额外权限。也就是说,如果要使用这个插件,可能需要管理员在 AAD 上面授权)
图一:Application Overview
图二:Application Consent & Permissions
@sometimes-naaive @hi-yiyang @JerryFake

感谢讨论、分享,我也成功连接 E5 onedrive 了。 但我有个问题,同步文件存储在 onedrive 的哪里?在个人 Onedrive 连接 remotely-save 后会在根目录下创建 应用/remotely-save 文件夹。我找了 E5账号 onedrive 空间里都没有新建的文件夹。
我想找到 E5 里头的这个文件夹方便之后备份。

TBH, I just put the vault inside the drive, thus after syncing it's still there

The reason I use the plugin is just to open files in mobile Obsidian without syncing the whole folder into my phone.

@SkysCrystal
Copy link

SkysCrystal commented Feb 11, 2023

The reason I use the plugin is just to open files in mobile Obsidian without syncing the whole folder into my phone.

I get it! Thanks for your reply. I will use it more flexible~

@EpicPilgrim
Copy link

EpicPilgrim commented May 9, 2023

I have granted admin consent to "remotely-save" in my own M365 tenant so I can use OneDrive for Business but the "Remotely Save" modal window in Obsidian is just stuck on "Connecting to OneDrive... Please DO NOT close this modal." Console shows this:

start updating local info of OneDrive token
plugin:remotely-save:216 finish updating local info of Onedrive token
plugin:remotely-save:211 Onedrive accessToken updated
app.js:1 Uncaught (in promise) Error: Request failed, status 403
    at new t (app.js:1:1668026)
    at tU (app.js:1:1668218)
    at app.js:1:1668895
    at app.js:1:235927
    at Object.next (app.js:1:236032)
    at a (app.js:1:234750)

Any thoughts on what may be different between the people with working Onedrive for Business connections, and myself?

@PassionPenguin
Copy link
Contributor

PassionPenguin commented May 11, 2023

I have granted admin consent to "remotely-save" in my own M365 tenant so I can use OneDrive for Business but the "Remotely Save" modal window in Obsidian is just stuck on "Connecting to OneDrive... Please DO NOT close this modal." Console shows this:

start updating local info of OneDrive token
plugin:remotely-save:216 finish updating local info of Onedrive token
plugin:remotely-save:211 Onedrive accessToken updated
app.js:1 Uncaught (in promise) Error: Request failed, status 403
    at new t (app.js:1:1668026)
    at tU (app.js:1:1668218)
    at app.js:1:1668895
    at app.js:1:235927
    at Object.next (app.js:1:236032)
    at a (app.js:1:234750)

Any thoughts on what may be different between the people with working Onedrive for Business connections, and myself?

it's 403, possibly because it's not set up well...
however, i have no od-e5 account at the moment, i may not be able to check it for you.
you may try check all the privileges that are required, regenerate an access token for the app, regrant the app. after all, onedrive business-onedrive personal are designed to have the same apis, meaning that they should work well if you follow the onedrive personal docs.

@rowansmithau
Copy link

Confirmed today that as an E3 customer I tried to get remotely-save to work with onedrive, went through the auth process and obsidian sat there trying to process it. At that point I killed it, went into Azure AD > Applications > Enterprise Applications > remotely-save > Permissions and used the Grant Admin Consent button, then opened Obsidian again and ran through the remotely-save onedrive auth process and it now works.

@PassionPenguin
Copy link
Contributor

Confirmed today that as an E3 customer I tried to get remotely-save to work with onedrive, went through the auth process and obsidian sat there trying to process it. At that point I killed it, went into Azure AD > Applications > Enterprise Applications > remotely-save > Permissions and used the Grant Admin Consent button, then opened Obsidian again and ran through the remotely-save onedrive auth process and it now works.

that's it. the apis are the same and the logics should work between different kinds of onedrive users with Graph api enabled.

@sailcom
Copy link

sailcom commented Jul 28, 2023

Note to users who use the E5 developer account:

If you are using a onedrive (for business) account for synchronization, your files will be uploaded to the shared library of the enterprise after synchronization, and other personnel in the enterprise (group) have permission to see these files.

Solution:

log in with an administrator account, adjust the administrative access rights of the remotely-save folder, and delete the access rights of other people. This prevents your private files from being accessed by others.


请使用E5开发者账号的用户们注意:

如果您使用的是onedrive(for business)的账号进行同步,同步后您的文件会被上传至企业的共享库中,企业(群组)内的其他人员都有权限看到这些文件。

解决方案:

使用管理员账户登入,调整remotely-save文件夹的管理访问权限,将其他人员的访问权限删除。这样就可以避免您的私密文件被其他人员访问。

@dengyakui
Copy link

dengyakui commented Sep 9, 2023

My E5 OneDrive Successfuly linked , bebow is the step:

  1. Open Obsidian app's plugin option page, just select OneDrivePersonal, it will works for E5 office subscription

image

  1. Click the auth btn, and login your E5 account in your browser( your account should be some admin for grant permission)

image
image

  1. After login success first time, will prompt you to Grant Some Permissions, But may failed for your login account was not admin, you should use admin account login info Azure portal to grant some permission.
    image

  2. Find the remotely-save application from EnterpriseApplications menu

  3. Enter the app settings page, find the permission section, make sure these requesed permissions was granted
    image

  4. Back to Obsidian plugin option page, re-click the auth button, and do login with your normal account, if there is continue button, you are success.
    image
    image

  5. Click the check button to verify OneDrive connection is Ok
    image

  6. Click the sync button to sync local vault's files to OneDrive
    image

  7. Check the remote vault folder path. By default, the remote vault folder was created on SharePoint, Not One drive !!!
    You can add short link to OneDrive for easy access.
    image

  8. After add short link, you can visit your Vault from OneDrive, Congratulations!
    image

Notes for permission

You should use Admin account to grant permission requested by remotely-save plugin. After permission has granted, you can switch to your normaly used account.

@fyears
Copy link
Member

fyears commented Dec 17, 2023

Thank you for everyone for the detailed screenshots and steps!!! I would like to add some ref in readme to this issue!!! It seems the key point is granting the permission from admin, and going to sharepoint not onedrive, and paying attention to the permissions visible for others.

谢谢各位的截图和步骤!我在文档更新一下链接!看上去这里有几个注意点:管理员授权、sharepoint vs onedrive、文档可能对其他人可视需要设置。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants