Graph .NET SDK returns 401 after /content redirect to SharePoint download.aspx #3057
Description
Describe the bug
When downloading a file from SharePoint via Microsoft Graph .NET SDK, the request to:
GET /drives/{driveId}/root:/{path}:/content
returns 302 Found (redirect to SharePoint download.aspx?...&tempauth=...), and the SDK then follows the redirect but ends up with 401 Unauthorized (HTML response).
This started happening without any intentional Azure/Entra configuration change (same app registration / same permissions). The file downloads fine if I paste the redirected download.aspx?...tempauth=... URL into a browser session, but fails from the SDK HTTP pipeline.
Expected behavior
The SDK should successfully download the file content when calling:
GET https://graph.microsoft.com/v1.0/drives/{driveId}/root:/{path}:/content
even if it results in a redirect, or at least provide a clear error/diagnostic if the redirected request cannot be completed.
How to reproduce
- Authenticate with delegated permissions (Files.ReadWrite.All, Sites.ReadWrite.All, etc.)
- Resolve drive id from a SharePoint site:
GET /sites/{siteId}/drives=> 200 OK - Resolve metadata:
GET /drives/{driveId}/root:/{path}:/=> 200 OK - Download:
GET /drives/{driveId}/root:/{path}:/content - Observe
302then redirectedGETyields401
SDK Version
5.100
Latest version known to work for scenario above?
No response
Known Workarounds
No response
Debug output
Click to expand log
#### GET DRIVE (OK)
Information: Graph => "GET" https://graph.microsoft.com/v1.0/sites/{tenant}.sharepoint.com%2C{siteGuid1}%2C{siteGuid2}/drives
Debug : ReqHeader "Accept": "application/json"
Debug : ReqHeader "Authorization": "Bearer {REDACTED}"
Debug : ReqHeader "User-Agent": "kiota-dotnet/1.21.1"
Debug : ReqHeader "SdkVersion": "graph-dotnet-core/3.2.5 (...; runtimeEnvironment=.NET 8.0.23;)"
Debug : ReqHeader "client-request-id": "{optional-redacted-guid}"
Information: Graph <= 200 "OK" Content-Type="application/json"
#### GET METADATA (OK)
Information: Graph => "GET" https://graph.microsoft.com/v1.0/drives/{driveId}/root:/{path-to-manifest}:
Debug : ReqHeader "Accept": "application/json"
Debug : ReqHeader "Authorization": "Bearer {REDACTED}"
Information: Graph <= 200 "OK" Content-Type="application/json"
#### GET CONTENT (302)
Information: Graph => "GET" https://graph.microsoft.com/v1.0/drives/{driveId}/root:/{path-to-manifest}:/content
Debug : ReqHeader "Accept": "application/octet-stream,application/json"
Debug : ReqHeader "Authorization": "Bearer {REDACTED}"
Information: Graph <= 302 "Found" Content-Type="application/octet-stream"
#### Redirect Location (redacted tempauth)
Warning : Redirect Location:
https://{tenant}.sharepoint.com/sites/{siteName}/_layouts/15/download.aspx?UniqueId={uniqueId}&Translate=false&tempauth={REDACTED}&ApiVersion=2.0
#### GET CONTENT (REDIRECT) => 401
Information: Graph => "GET" https://{tenant}.sharepoint.com/sites/{siteName}/_layouts/15/download.aspx?UniqueId={uniqueId}&Translate=false&tempauth={REDACTED}&ApiVersion=2.0
Debug : ReqHeader "Accept": "application/octet-stream,application/json"
Debug : ReqHeader "User-Agent": "kiota-dotnet/1.21.1"
Debug : ReqHeader "Accept-Encoding": "gzip,deflate,br"
Information: Graph <= 401 "Unauthorized" Content-Type="text/html"
Debug : [.] Graph RespHeader "WWW-Authenticate": " error=\"insufficient_claims\",claims=\"{CLAIMS}=\""
Configuration
No response
Other information
- Is the SDK expected to follow SharePoint
download.aspx?tempauth=...redirects automatically? - Should specific headers/cookies be preserved/added for the redirected request?
- If this is due to Conditional Access / CAE claims challenge, how should the SDK surface it when the final response is HTML 401 from SharePoint rather than JSON from Graph?