Share via

can't use contentStream API

Stefano Padovan 20 Reputation points
2025-11-26T12:53:20.5733333+00:00

i'm trying to use the beta [contentStream](https://learn.microsoft.com/en-us/graph/api/driveitem-get-contentstream?view=graph-rest-beta&tabs=http) API to download drive items.

I'm always getting a 401 error, with an HTML content saying: 

Invalid audience Uri '00000003-0000-0ff1-ce00-000000000000'

with the same token i'm able to invoke the [content](https://learn.microsoft.com/en-us/graph/api/driveitem-get-content?view=graph-rest-beta&tabs=http) API successfully.
What am i doing wrong?

Microsoft 365 and Office | SharePoint | Development
0 comments
Answer accepted by question author
  1. Kha-N 5,295 Reputation points Microsoft External Staff Moderator
    2025-12-02T05:44:15.08+00:00

    Hi @StefanoPadovan,

    Thank you so much for clarifying about your personal OneDrive for Business. I’d like to share some additional insights I found on why contentStream works with communication sites but not with your personal OneDrive for Business:

    Based on my research, the contentStream endpoint behaves differently from standard DriveItem calls. Instead of routing requests through the Microsoft Graph Files Service which normally handles token translation and backend compatibility, the contentStream endpoint establishes a direct streaming channel to the underlying file storage backend.

    User's image

    The error code 00000003-0000-0ff1-ce00-000000000000 refers to the SharePoint resource GUID. When you use contentStream on a communication site, this design works because SharePoint site libraries accept Graph access tokens for direct file retrieval. However, for OneDrive for Business, the backend enforces a stricter audience check. A Graph-scoped token won’t pass because the request bypasses Graph and goes straight to SharePoint, which expects a SharePoint-scoped token. This mismatch causes the error 401 “Invalid audience” error you observed.
    User's image

    Currently, as I checked, Microsoft does not provide documentation stating that contentStream is supported for OneDrive items, nor is there a documented mechanism to supply a SharePoint Online token to this API. This strongly suggests the behavior is by design rather than a configuration or permissions issue.

    Therefore, I suggest you raising this request on the Microsoft Feedback Portal. This is where the engineering team reviews customer input to improve Microsoft products. The more voices advocating for this change, the higher the chances that the API will be updated.

    Thank you for your understanding.

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-26T12:53:32.56+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The 401 error you are encountering, along with the message about an "Invalid audience Uri," typically indicates that the token you are using does not have the necessary permissions for the API you are trying to access. Here are a few steps you can take to troubleshoot this issue:

    1. Check Token Scope: Ensure that the token you are using has the correct scopes for accessing the content stream API. The scopes required for different APIs can vary, and you may need to request additional permissions when obtaining the token.
    2. Audience URI: The audience URI in the token must match the API you are trying to access. Make sure that the token is issued for the correct audience that corresponds to the Microsoft Graph API.
    3. Token Validity: Verify that the token is still valid and has not expired. If necessary, refresh the token and try again.
    4. API Endpoint: Double-check that you are using the correct endpoint for the content stream API. Ensure that there are no typos in the URL.
    5. Permissions: If you are accessing a shared drive or a specific user's drive, ensure that the user or service principal has the necessary permissions to access the item you are trying to download.

    If you continue to experience issues, consider reviewing the API documentation for any specific requirements related to authentication and permissions.

    References:

    0 comments
  2. Stefano Padovan 20 Reputation points
    2025-11-26T13:00:18.14+00:00

    those suggestions are not hepful. Token is valid, since it works for /content endpoint.

    What i noticed instead is that /contentStream is working on communication sites, and failing with 401 on personal onedrives

    Note that i'm using an application to invoke the APIs, with Files.Read.All application type permission granted.

    0 comments
  3. Kha-N 5,295 Reputation points Microsoft External Staff Moderator
    2025-11-26T14:26:35.83+00:00

    Hi @StefanoPadovan,

    Welcome to Microsoft Q&A, and thank you very much for reaching out to us.

    Based on your description, you able to use the Graph API content endpoint to retrieve a personal OneDrive file with the same token, but when calling the contentStream endpoint for personal drives, you get a 401 error with an HTML response saying Invalid audience Uri. Please let me know if I misunderstood.

    Please note that the /beta endpoints in Microsoft Graph are preview features and are subject to change. They may not be fully supported for production use, and their behavior or availability can change without notice.

    For my research, this issue might relate to how the contentStream endpoint validates the token’s audience against the actual storage backend:

    • For SharePoint communication or team sites (hosted under https://{tenant}.sharepoint.com), a token scoped to that host using the SharePoint resource principal 00000003-0000-0ff1-ce00-000000000000 and https://{tenant}.sharepoint.com/.default typically works, and streaming succeeds.
    • However, For Personal OneDrive for Business (“My Files”), the storage backend is hosted under https://{tenant}-my.sharepoint.com. When contentStream redirects to this host, continuing with a Microsoft Graph token or a SharePoint token scoped only to sharepoint.com (instead of -my.sharepoint.com) may result in a 401 Invalid audience Uri, because the audience doesn’t match the -my host.

    This difference between sharepoint.com and -my.sharepoint.com might explains why one token works for site libraries but fails for personal OneDrive.

    This summary is based on my findings from the community and several relevant threads. However, it may not accurately reflect the behavior in question. As Microsoft moderator, I do not have access to your configuration, and my testing environment is limited, so I can only assist you through research and available resources. To help you reach your goal more effectively, I recommend posting a thread on the Microsoft Tech Community forum. It’s a great platform for deeper technical discussions and connecting with individuals who have hands-on experience and expertise. They’re best positioned to provide guidance and valuable insights on this topic.   

    I hope this help.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

    0 comments
  4. Stefano Padovan 20 Reputation points
    2025-11-26T14:41:46.96+00:00

    the Prefer trick is not making any difference.

    Using a sharepoint-scoped token does not allow me to use the contentStream API, since that is Graph based

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.