When I make a copy item request to the Graph API (as per https://learn.microsoft.com/en-us/graph/api/driveitem-copy), I get an "Access Denied" error on the request unless I create a shareable link on the file. My app registration already requests Files.ReadWrite.All. Shouldn't that scope grant access to copy operations for all files without requiring that those files be shared? The documentation makes no note of this sharing requirement.
Here's what my request and response was:
POST https://graph.microsoft.com/v1.0/me/drive/items/01U5HU23DLMANTOZOCBRCKZAXZ22PYNRGR/copy HTTP/1.1
Authorization: Bearer eyJ0...SNIP!!!!...
Accept: application/json
Content-Type: application/json; charset=utf-8
Host: graph.microsoft.com
Content-Length: 211
Expect: 100-continue
{"name" : "Copy-01U5HU23DLMANTOZOCBRCKZAXZ22PYNRGR.pptx", "parentReference" : { "driveId": "b!bLRKCe6UoEmhaguLIR83GAjYCavRyBRLs_igqUdAHTpAwbmf4u0ESLPbDrjCEr2w", "id": "01U5HU23F6Y2GOVW7725BZO354PWSELRRZ" } } }
HTTP/1.1 403 Forbidden
Cache-Control: private
Content-Type: application/json
request-id: 7c26c462-805f-4c26-90e3-8ee22ba719c6
client-request-id: 7c26c462-805f-4c26-90e3-8ee22ba719c6
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Canada East","Slice":"SliceC","Ring":"2","ScaleUnit":"000","RoleInstance":"AGSFE_IN_10"}}
Strict-Transport-Security: max-age=31536000
Date: Fri, 18 Dec 2020 02:45:37 GMT
Content-Length: 279
{
"error": {
"code": "accessDenied",
"message": "Access denied",
"innerError": {
"date": "2020-12-18T02:45:37",
"request-id": "7c26c462-805f-4c26-90e3-8ee22ba719c6",
"client-request-id": "7c26c462-805f-4c26-90e3-8ee22ba719c6"
}
}
}
Looks like you have Files.Read.All but not Files.ReadWrite.All so according to documentation you need to have Files.ReadWrite.All or Files.ReadWrite as you said.
Also test with Graph Explorer or POSTMAN so that you can debug where the issue is.