OneDrive Connector Setup
Provide necessary API permissions to index OneDrive files.
The Microsoft connectors support:
We recommend creating separate App Registrations for each Microsoft source you plan to use. This follows the principle of least privilege and provides:
Choose the approach that best fits your organization’s security and scale requirements:
Create individual App Registrations for:
Each registration gets only the permissions needed for that specific source.
Use one App Registration for all sources. This requires the superset of all permissions and is not recommended for production environments due to security and rate limiting concerns.
Before configuring any Microsoft connector, ensure you have:
Microsoft Graph API requires certificate-based authentication. Choose one option:
# Generate private key and certificate
openssl req -x509 -newkey rsa:2048 -keyout atolio-key.pem -out atolio-cert.pem -days 365 -nodes
# Create PFX file (no password)
openssl pkcs12 -export -out atolio-cert.pfx -inkey atolio-key.pem -in atolio-cert.pem -passout pass:
# Create CER file for Azure upload
openssl x509 -outform der -in atolio-cert.pem -out atolio-cert.cer
# Get base64-encoded PFX for Atolio configuration
cat atolio-cert.pfx | base64
# Generate certificate
$cert = New-SelfSignedCertificate -Subject "CN=Atolio" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature
# Export CER file for Azure
Export-Certificate -Cert $cert -FilePath "atolio-cert.cer"
# Export PFX file for Atolio (replace 'password' with your preferred password)
Export-PfxCertificate -Cert $cert -FilePath "atolio-cert.pfx" -Password (ConvertTo-SecureString -String "password" -Force -AsPlainText)
# Get base64-encoded PFX
[Convert]::ToBase64String([IO.File]::ReadAllBytes("atolio-cert.pfx"))
All Microsoft connectors require these foundational steps:
.cer
file to the App RegistrationCollect these values from Azure and provide them to your Atolio support contact:
ClientCert
- Base64-encoded content of the .PFX
file (from certificate generation step)ClientCertPassword
- Certificate’s private key password (if you set one)TenantId
- Directory (tenant) ID from the App Registration Overview pageClientId
- Application (client) ID from the App Registration Overview pageAll Microsoft connectors support filtering to limit indexing scope using YAML configuration in your connector settings:
resources:
user:
included:
- arthur.dent@example.com
group:
excluded:
- contractors@example.com
Common filter types include:
For detailed filtering options, see the individual connector documentation pages.
Provide necessary API permissions to index OneDrive files.
Provide necessary API permissions to index Outlook emails and calendar events.
Provide necessary API permissions to index SharePoint sites.
Provide necessary API permissions to index Teams channels.