OneDrive Connector Setup
Provide necessary API permissions to index OneDrive files.
Index OneDrive files by creating a dedicated App Registration with the appropriate permissions.
Setup Checklist
Before starting, ensure you have:
- Azure Global Administrator or Cloud Application Administrator role
- Microsoft 365 E1+ licensing for OneDrive content
- Certificate generated (see Certificate Generation Guide)
- Active Atolio deployment
Required API Permissions
Step 1: Create App Registration
- Navigate to Azure Portal > App Registrations
- Click “New registration”
- Enter name:
Atolio OneDrive
- Select “Accounts in this organizational directory only”
- Click “Register”
Step 2: Add API Permissions
⚠️ Important: Only add Application permissions, not Delegated permissions
- In your App Registration, click “API permissions” in the left menu
- Click “Add a permission”
- Select “Microsoft Graph”
- Click “Application permissions” (not Delegated permissions)
Add these Microsoft Graph permissions:
Identity & Directory Permissions (Required for ACL mapping)
Application.Read.All
Group.Read.All
GroupMember.Read.All
User.Read.All
Directory.Read.All
(optional - can omit withdisable_full_permissions: true
in configuration)
OneDrive Content Permissions
Files.Read.All
Step 3: Grant Admin Consent
- After adding all permissions, click “Grant admin consent for [your tenant name]” at the top of the API permissions page
- Confirm by clicking “Yes”
- Verify all permissions show “Granted for [your tenant name]” with green checkmarks
Step 4: Upload Certificate
- Click “Certificates & secrets” in the left menu
- Click “Upload certificate”
- Select your
.cer
file (not the.pfx
file) - Add description:
Atolio OneDrive Authentication
- Click “Add”
Step 5: Collect Configuration Values
From the “Overview” page, copy:
- Application (client) ID
- Directory (tenant) ID
You’ll provide these along with your base64-encoded .pfx
certificate to your Atolio support contact.
Resource Filtering
Limit indexing scope using resource filters. OneDrive supports multiple filter types:
User Filtering
Index OneDrive files for specific user accounts:
resources:
user:
included:
- arthur.dent@example.com
- ford.prefect@example.com
excluded:
- galactic-president@example.com
Group Filtering
Index OneDrive files accessible by Microsoft 365 groups:
resources:
group:
included:
- engineering-group@example.com
excluded:
- contractors@example.com
Sample Configuration
Here’s a complete YAML configuration example for OneDrive:
connector: microsoft
source: onedrive
common:
enabled: true
identity-provider: false
cron-spec: "10 */1 * * *"
secrets:
client_cert:
value: "<BASE64_ENCODED_PFX_CONTENT>"
client_cert_password:
value: "<CERTIFICATE_PASSWORD>" # Optional if no password set
configuration:
client-id: "<APPLICATION_CLIENT_ID>"
tenant-id: "<DIRECTORY_TENANT_ID>"
disable_full_permissions: false
resources:
user:
included:
- john.doe@contoso.com
- jane.smith@contoso.com
group:
excluded:
- contractors@contoso.com
Troubleshooting
Error | Cause | Solution |
---|---|---|
401 Unauthorized | Missing admin consent | Click “Grant admin consent” in API permissions |
403 Forbidden | Wrong permission type | Ensure you added Application permissions, not Delegated |
invalid_client | Certificate not found/expired | Verify certificate is uploaded and valid |
OneDrive files not appearing | Missing Files.Read.All permission | Add permission and re-grant admin consent |
User drives missing | User not in included list | Check user filtering configuration |