Cross tenant shared file download programmatically

Dear @Fahida VH

Thank you so much for contacting Microsoft Q&A Forum. 

I appreciate for reaching out with your question regarding accessing shared files across tenants using Microsoft Graph. After reviewing your scenario, I’d like to clarify a few important points that may help explain the behavior you're seeing: 

I can see the access is failing, this maybe because Microsoft Graph access tokens are tenant-scoped, meaning they are valid only within the tenant they were issued for. Even in a multi-tenant app, if a user from Tenant B tries to access a file shared by a user in Tenant A using the Shares API, the token will still be scoped to Tenant B. This prevents direct access to the file in Tenant A’s SharePoint. Also, you mentioned that it works well when you can use the following endpoint to list files shared with the signed-in user, including those from external tenants: 

GET /me/drive/sharedWithMe?allowexternal=true

Reference: drive: sharedWithMe - Microsoft Graph v1.0 | Microsoft Learn 

However, it does not work when you are using endpoints like: 

GET /drives/{driveId}/items/{itemId}  
GET /shares/{shareId}

This will fail if the file resides in a different tenant than the token’s origin, even if the user has previously opened the file. 

Besides that, as a forum moderator, I have limitations in my testing environments and cannot access the internal databases to check it further for you. Because of this, I truly apologize you. However, I still tried my best to find several suggestions that you can try to see if they can help you:

To process the file programmatically, you can consider: 

• Using the sharedWithMe endpoint to retrieve metadata and the webUrl. 
• Redirecting the user to the file via webUrl or downloading it manually. 
• If deeper access is needed, consider: 
  • Having the user authenticate in the sender’s tenant. 
    • Using Microsoft Entra B2B to invite the user to the sender’s tenant and grant access. 

You can consult more in here:  

• Microsoft 365 inter-tenant collaboration - Microsoft 365 Enterprise | Microsoft Learn 
• Cross-tenant access settings API overview - Microsoft Graph v1.0 | Microsoft Learn 
• Cross tenant graph API access - Microsoft Q&A 

Also, I found an idea that you may try using the Microsoft Graph Shares API with an encoded SharePoint sharing link to see if it can help. This allows direct access to the shared file, but only if the access token is scoped to the sender’s tenant. To encode a sharing link for use with the API, follow this guide: Access shared items - Microsoft Graph v1.0 | Microsoft Learn 

This method is useful in scenarios where your app can authenticate users in the sender’s tenant or where you control both tenants. 

Kindly note for limitation: this method only works if the access token is issued by the tenant that owns the file. If your app is multi-tenant and the token is from a different tenant (e.g., the recipient’s), the request will fail due to tenant scoping. 

I hope this information can help you to understand about it at the moment and please kindly correct me if I misunderstand your concern.

Wish you a pleasant day!

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.