OneDrive Connector Setup

Provide necessary API permissions to index OneDrive files.

Index OneDrive files by creating a dedicated App Registration with the appropriate permissions.

Setup Checklist

Before starting, ensure you have:

  • Azure Global Administrator or Cloud Application Administrator role
  • Microsoft 365 E1+ licensing for OneDrive content
  • Certificate generated (see Certificate Generation Guide)
  • Active Atolio deployment

Required API Permissions

Step 1: Create App Registration

  1. Navigate to Azure Portal > App Registrations
  2. Click “New registration”
  3. Enter name: Atolio OneDrive
  4. Select “Accounts in this organizational directory only”
  5. Click “Register”

Step 2: Add API Permissions

⚠️ Important: Only add Application permissions, not Delegated permissions

  1. In your App Registration, click “API permissions” in the left menu
  2. Click “Add a permission”
  3. Select “Microsoft Graph”
  4. Click “Application permissions” (not Delegated permissions)

Add these Microsoft Graph permissions:

Identity & Directory Permissions (Required for ACL mapping)

  • Application.Read.All
  • Group.Read.All
  • GroupMember.Read.All
  • User.Read.All
  • Directory.Read.All (optional - can omit with disable_full_permissions: true in configuration)

OneDrive Content Permissions

  • Files.Read.All
  1. After adding all permissions, click “Grant admin consent for [your tenant name]” at the top of the API permissions page
  2. Confirm by clicking “Yes”
  3. Verify all permissions show “Granted for [your tenant name]” with green checkmarks

Step 4: Upload Certificate

  1. Click “Certificates & secrets” in the left menu
  2. Click “Upload certificate”
  3. Select your .cer file (not the .pfx file)
  4. Add description: Atolio OneDrive Authentication
  5. Click “Add”

Step 5: Collect Configuration Values

From the “Overview” page, copy:

  • Application (client) ID
  • Directory (tenant) ID

You’ll provide these along with your base64-encoded .pfx certificate to your Atolio support contact.

Resource Filtering

Limit indexing scope using resource filters. OneDrive supports multiple filter types:

User Filtering

Index OneDrive files for specific user accounts:

resources:
  user:
    included:
      - arthur.dent@example.com
      - ford.prefect@example.com
    excluded:
      - galactic-president@example.com

Group Filtering

Index OneDrive files accessible by Microsoft 365 groups:

resources:
  group:
    included:
      - engineering-group@example.com
    excluded:
      - contractors@example.com

Sample Configuration

Here’s a complete YAML configuration example for OneDrive:

connector: microsoft
source: onedrive
common:
  enabled: true
  identity-provider: false
  cron-spec: "10 */1 * * *"
secrets:
  client_cert:
    value: "<BASE64_ENCODED_PFX_CONTENT>"
  client_cert_password:
    value: "<CERTIFICATE_PASSWORD>"  # Optional if no password set
configuration:
  client-id: "<APPLICATION_CLIENT_ID>"
  tenant-id: "<DIRECTORY_TENANT_ID>"
  disable_full_permissions: false
  resources:
    user:
      included:
        - john.doe@contoso.com
        - jane.smith@contoso.com
    group:
      excluded:
        - contractors@contoso.com

Troubleshooting

ErrorCauseSolution
401 UnauthorizedMissing admin consentClick “Grant admin consent” in API permissions
403 ForbiddenWrong permission typeEnsure you added Application permissions, not Delegated
invalid_clientCertificate not found/expiredVerify certificate is uploaded and valid
OneDrive files not appearingMissing Files.Read.All permissionAdd permission and re-grant admin consent
User drives missingUser not in included listCheck user filtering configuration