OneDrive Connector Setup

Provide necessary API permissions to index OneDrive files.

Index OneDrive files by creating a dedicated App Registration with the appropriate permissions.

Setup Checklist

Before starting, ensure you have:

Azure Global Administrator or Cloud Application Administrator role
Microsoft 365 E1+ licensing for OneDrive content
Certificate generated (see Certificate Generation Guide)
Active Atolio deployment

Required API Permissions

Step 1: Create App Registration

Navigate to Azure Portal > App Registrations
Click “New registration”
Enter name: Atolio OneDrive
Select “Accounts in this organizational directory only”
Click “Register”

Step 2: Add API Permissions

⚠️ Important: Only add Application permissions, not Delegated permissions

In your App Registration, click “API permissions” in the left menu
Click “Add a permission”
Select “Microsoft Graph”
Click “Application permissions” (not Delegated permissions)

Add these Microsoft Graph permissions:

Identity & Directory Permissions (Required for ACL mapping)

Application.Read.All
Group.Read.All
GroupMember.Read.All
User.Read.All
Directory.Read.All (optional - can omit with disable_full_permissions: true in configuration)

OneDrive Content Permissions

Files.Read.All

After adding all permissions, click “Grant admin consent for [your tenant name]” at the top of the API permissions page
Confirm by clicking “Yes”
Verify all permissions show “Granted for [your tenant name]” with green checkmarks

Step 4: Upload Certificate

Click “Certificates & secrets” in the left menu
Click “Upload certificate”
Select your .cer file (not the .pfx file)
Add description: Atolio OneDrive Authentication
Click “Add”

Step 5: Collect Configuration Values

From the “Overview” page, copy:

Application (client) ID
Directory (tenant) ID

You’ll provide these along with your base64-encoded .pfx certificate to your Atolio support contact.

Resource Filtering

Limit indexing scope using resource filters. OneDrive supports multiple filter types:

User Filtering

Index OneDrive files for specific user accounts:

resources:
  user:
    included:
      - arthur.dent@example.com
      - ford.prefect@example.com
    excluded:
      - galactic-president@example.com

Group Filtering

Index OneDrive files accessible by Microsoft 365 groups:

resources:
  group:
    included:
      - engineering-group@example.com
    excluded:
      - contractors@example.com

Sample Configuration

Here’s a complete YAML configuration example for OneDrive:

connector: microsoft
source: onedrive
common:
  enabled: true
  identity-provider: false
  cron-spec: "10 */1 * * *"
secrets:
  client_cert:
    value: "<BASE64_ENCODED_PFX_CONTENT>"
  client_cert_password:
    value: "<CERTIFICATE_PASSWORD>"  # Optional if no password set
configuration:
  client-id: "<APPLICATION_CLIENT_ID>"
  tenant-id: "<DIRECTORY_TENANT_ID>"
  disable_full_permissions: false
  resources:
    user:
      included:
        - john.doe@contoso.com
        - jane.smith@contoso.com
    group:
      excluded:
        - contractors@contoso.com

Troubleshooting

Error	Cause	Solution
`401 Unauthorized`	Missing admin consent	Click “Grant admin consent” in API permissions
`403 Forbidden`	Wrong permission type	Ensure you added Application permissions, not Delegated
`invalid_client`	Certificate not found/expired	Verify certificate is uploaded and valid
OneDrive files not appearing	Missing `Files.Read.All` permission	Add permission and re-grant admin consent
User drives missing	User not in included list	Check user filtering configuration