Managing Microsoft OneDrive access and permissions

OneDrive integration allows you to trigger background workflows, automated tasks, and backend processes directly from within your connected platform. This page outlines key access considerations, including which user roles are permitted to link the OneDrive account, how permissions are handled within the integration, and what scopes or access tokens are required to securely execute file-related actions across your OneDrive environments.

Credentials and Setup

To configure the integration with OneDrive, you will need the following:

A registered Azure AD application
Client ID and Client Secret or certificate credentials
The Azure tenant ID
Consent to the appropriate Microsoft Graph API scopes
(Optional) Specific folder IDs or SharePoint site identifiers if workflows are scoped to particular locations

The integration uses OAuth 2.0 with token-based authentication. The base API endpoint for all file operations is: https://graph.microsoft.com/v1.0/

Tokens are usually generated using app-only permissions, which operate on behalf of the organization rather than an individual user. This allows workflows to work across shared drives, user OneDrive locations, and SharePoint document libraries. In setups that require per-user actions, delegated tokens can be used instead.

All credentials are encrypted and stored securely per tenant. Only users with administrative access can view or update these credentials. Each environment stores its own set of credentials, allowing proper permission scoping and isolation.

Required Permissions

The application must be granted specific Microsoft Graph scopes in Azure AD when the integration is enabled. These include:

Files.ReadWrite.All to read and manage files across OneDrive and SharePoint libraries
Sites.Read.All to retrieve data and structure from SharePoint sites
User.Read for accessing basic user profile information when using delegated access
Directory.Read.All (optional) for workflows that require group or organizational metadata

These permissions generally require admin consent. They should be reviewed periodically to comply with the principle of least privilege.

What the Integration Can Do

Once the OneDrive integration is connected, it can support the following actions inside your workflows:

Upload files to specific folders
Download documents for processing, archiving, or analysis
Rename, create, or move items within directory structures
Access file metadata such as names, sizes, and timestamps
Modify sharing permissions (if properly scoped)
Route output from other systems into team folders

All of these actions are managed behind the scenes through the Microsoft Graph API. They are designed to support automated business processes such as archiving, report generation, content routing, and audit flows.

Platform users interact with these actions through predefined workflows. They do not need to see or manage the underlying OneDrive or Microsoft 365 structure.