OneDrive Connector
Documentation
Version: 9
Documentation
Home » API Integration Hub » OneDrive Connector » Authentication - Application Credentials

Authentication Application Credentials

Description

Application-only access is broader and more powerful than delegated access (User Credentials), so you should only use app-only access where needed. Use it when: 1. The application needs to run in an automated way, without user input (for example, a daily script that checks emails from certain contacts and sends automated responses). 2. The application needs to access resources belonging to multiple different users (for example, a backup or data loss prevention app might need to retrieve messages from many different chat channels, each with different participants). 3. You find yourself tempted to store credentials locally and allow the app to sign in 'as' the user or admin. [API reference]

Instructions

Follow these simple steps below to create Microsoft Entra ID application with application access permissions. Using following steps, you can grant very granular app permissions to access Full site(s), List(s), List Item(s) and File(s). Choose permission based on your need.

Create OAuth app

  1. Navigate to the Azure Portal and log in using your credentials.
  2. Access Microsoft Entra ID.
  3. Register a new application by going to App registrations and clicking on New registration button: Start new app registration in Microsoft Entra ID
    INFO: Find more information on how to register an application in Graph API reference.
  4. When configuration window opens, configure these fields:
    • Supported account type
      • e.g. select Accounts in this organizational directory only if you need access to data in your organization only.
    • Redirect URI:
      • Set the type to Public client/native (mobile & desktop).
      • Leave the URL field empty.
    Register app in Microsoft Entra ID
  5. After registering the app, copy the Application (client) ID for later: Copy client ID of Microsoft Entra ID app
  6. Then copy OAuth authorization endpoint (v2) & OAuth token endpoint (v2) URLs: Copy Auth and Token URLs in Microsoft Entra ID app
  7. Continue and create Client secret: Add Client secret for Microsoft Entra ID app
  8. Then copy the Client secret for later steps: Copy Client secret
  9. Continue by adding permissions for the app by going to the API permissions section, and clicking on Add a permission: Start adding permissions to Microsoft Entra ID app
  10. Select Microsoft Graph: Select Graph API permissions for Microsoft Entra ID app
  11. Then choose Application permissions option: Select app permissions for Microsoft Entra ID app
  12. Continue by adding these Files (OneDrive) permissions (Just search for "Site" and then select desired permissions): Select OneDrive scopes
  13. Move on by addding these Sites (SharePoint) permissions (You can search for "Site" and then select desired permissions): Select SharePoint Online application scopes
  14. Finish by clicking Add permissions button: Add permissions to Microsoft Entra ID app
  15. Now it's time to Grant admin consent for your application: Grant admin consent for Microsoft Entra ID app
  16. Confirm all the permissions are granted: Admin consent granted successfully in Entra ID
  17. Now go to SSIS package or ODBC data source and use the copied values in Application Credentials authentication configuration:
    • In the Token URL field paste the OAuth token endpoint (v2) URL value you copied in the previous step.
    • In the Client ID field paste the Application (client) ID value you copied in the previous step.
    • In the Client Secret field paste the Client secret value you copied in the previous step.
    • Optional step. Choose Default Site Id from the drop down menu.
  18. Click Test Connection to confirm the connection is working.
  19. Done! Let's move on to the next step.

Step-2 (Method#1 - New Approach): Grant permission to app using permission API (UI is not available yet)

In year 2024 microsoft launched 

*.Selected
permission scopes and new APIs to grant granular permissions to the resource for app access scenario. Unfortunatly, there is no User interface available yet to control this access so you have to call Admin API or use PowerShell script to control this. [Click here to learn more]. Follow these simple steps to configure permissions for app we created earlier (steps assume you are the owner of the resource and like to grant some permissions e.g. read, write, full, owner):

  1. Open PowerShell (Run as Admin user)
  2. Install Graph API module by running this command 
    Import-Module Microsoft.Graph.Sites
  3. Now you can call following PowerShell code to set "read" and "write" permission for the app we created earlier (assuming app id is 89ea5c94-7736-4e25-95ad-3fa95f62b66e). 
    
#More info https://learn.microsoft.com/en-us/graph/permissions-selected-overview?tabs=powershell

#Step-1: Install module if not found
#Install-Module Microsoft.Graph.Sites

#Step-2: set permission for app 89xxx6e and site zappysys.xx.efcdd21xxxxe2
Import-Module Microsoft.Graph.Sites

#Step-3: Login
Connect-MgGraph

#Step-4: Set Parameters for API Call (set Permissions, SiteId and AppId - Replace under #TODO)

You can find SiteId by visiting this URL in browser (assuming you visted SharePoint site and already logged in) https://{your-company}.sharepoint.com/_api/site --OR-- for sub-site use https://{your-company}.sharepoint.com/sites/{your-site}/_api/site. Find  Id from the response (e.g. <Id m:type="Edm.Guid">)
$siteId="yourcompany.sharepoint.com,efcddxxxxxxx104d8b5e3,8c9c6xxxxxxxx84e2"
#--OR-- simple id
#$siteId="efcddxxxxxxx104d8b5e3"


$params = @{
	roles = @(
        #possible options are read, write, fullcontrol, owner (write includes read too)
		#TODO: Change here
		"write"
	)
	grantedTo = @{
		application = @{
            #find this Client Id (Application Id) from the Azure Portal - Application page (https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade)
			#TODO: Change here
			id = "c3e9xxxxxx-xxxxx-xxxxx-xxxx-xxxxxb30c1"
		}
	}
}

#Step-5: Grant Permission
New-MgSitePermission -SiteId $siteId -BodyParameter $params

Parameters

Parameter Label Required Default value Options Description
TokenUrl Token URL YES
Name Value
For Single Tenant https://login.microsoftonline.com/{ENTER-TENANT-ID-HERE}/oauth2/v2.0/token
For Multi Tenant https://login.microsoftonline.com/common/oauth2/v2.0/token
ClientId Client ID YES
ClientSecret Client Secret YES
GroupOrUserId Default Group or User Id (additional Scopes needed to list - If fails enter manually) YES
Name Value
My self (Not Valid for Application Credentials)
For any group /groups/ENTER-GROUP-EMAIL-OR-ID
For any user /users/ENTER-USER-EMAIL-OR-ID
To list all users and groups from your organizations you need additional scopes. See connection UI - Choose User.Read.All and Group.Read.All Scopes and regenerate token. You can manually type value too if you know Group or User Id. Format is /users/{id} OR /groups/{id}
DriveId Default Drive Id YES
Scope Scope https://graph.microsoft.com/.default Permissions you want to use.
RetryMode RetryMode RetryWhenStatusCodeMatch
Name Value
None None
RetryAny RetryAny
RetryWhenStatusCodeMatch RetryWhenStatusCodeMatch
RetryStatusCodeList RetryStatusCodeList 429|503|423 429 is API limit reached, 423 is File locked
RetryCountMax RetryCountMax 5
RetryMultiplyWaitTime RetryMultiplyWaitTime True
SearchOptionForNonIndexedFields Search Option For Non-Indexed Fields (Default=Blank - Search Only Indexed)
Name Value
Search Only Indexed
Search Both Indexed and Non-Indexed HonorNonIndexedQueriesWarningMayFailRandomly
If you wish to do certain operations e.g. search / order by on non-indexed fields then you have to set this option to HonorNonIndexedQueriesWarningMayFailRandomly. By default filter / orderby on non-indexed fields not allowed.
ExtraHeaders Extra Headers (e.g. Header1:AAA||Header2:BBB)
Name Value
MyHeader1:AAA MyHeader1:AAA
MyHeader1:AAA||MyHeader2:BBB MyHeader1:AAA||MyHeader2:BBB
IsAppCred IsAppCred 1 For internal use only