Workiva Support Center

With the Microsoft® OneDrive® connector, you can use commands in a chain to manage files and folders in Microsoft OneDrive or SharePoint®. For example, with this connector, you can:

• Copy, delete, and search for files and folders
• Download and upload files
• List available drives

Note: This connector is built by Workiva and connects to a third-party system. While our Support team can help configure this connector within your workspace, we are unable to troubleshoot or otherwise assist with any issues that originate outside of the Workiva platform.

Prerequisites

To enable the connection, the connector uses the Microsoft Graph API. To secure the connection, the connector uses OAuth authentication via a designated application registered with the Microsoft application registration portal or Azure® Active Directory®.

To set up the connector, you'll need:

• An application registered with the Microsoft application registration portal or Azure Active Directory. Record your application ID
• The Azure application's OAuth client ID and secret
• The Azure application's scopes, appropriate for the commands the connector will perform
• The type and ID of the drive to connect to.
  

  Note: You can use Microsoft's Graph Explorer (external link) to retrieve these from Sharepoint.

• The project's redirect URI:
  • PROD: https://h.app.wdesk.com/s/wdata/oc/app/oauth/callback
  • EU: https://h.eu.wdesk.com/s/wdata/oc/app/oauth/callback
  • APAC: https://h.apac.wdesk.com/s/wdata/oc/app/oauth/callback

Example setup of Microsoft Azure for OneDrive

Registering an Application

1. Log in to your Microsoft Azure Portal: https://azure.microsoft.com/en-us/account/
2. Navigate into your Azure Active Directory services
3. Navigate to App Registrations under Manage and click on New Registration
4. Provide a desired Application Name and then press Register

Configure Application Authentication

1. Log in to your Microsoft Azure Portal: https://azure.microsoft.com/en-us/account/
2. Navigate into your Azure Active Directory services
3. Navigate to App Registrations under Manage
4. Navigate to Authentication under the updated Manage panel
5. Under "Supported account types," choose Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).
6. Under the Add a Platform select Web
7. Under the Redirect URI enter the valid callback URL from above
8. Make sure to check the box for MultiTenant under Supported Account Types

Note: As the OneDrive Connector requires the MultiTenant option to be enabled it is up to the Azure Administrators to ensure applications are correctly configured for security compliance. This option, when correctly used with Azure security, does not open up the application to everyone. Below are suggestions on additional steps that can be taken.

• Review the documentation from Microsoft related to MultiTenant setup.
  https://docs.microsoft.com/en-us/azure/active-directory/develop/single-and-multi-tenant-apps#best-practices-for-multi-tenant-apps
• Enable security on the individual application.
  https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-require-user-assignment
• Assign/allow users access to the application.
  https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users#assign-the-app-to-users-and-groups

Setting up Certificates and Secrets

1. Log in to your Microsoft Azure Portal: https://azure.microsoft.com/en-us/account/
2. Navigate into your Azure Active Directory services
3. Navigate to App Registrations under Manage
4. Navigate to Certificates under the updated Manage panel
5. Click New Client Secret in the center panel
6. After providing a brief Description and Expiry date a Client Secret will be displayed. This will need to be stored for safe keeping and entry into the Microsoft OneDrive connector.

Setting up API Permissions

1. Log in to your Microsoft Azure Portal: https://azure.microsoft.com/en-us/account/
2. Navigate into your Azure Active Directory services
3. Navigate to App Registrations under Manage
4. Navigate to API Permissions under the updated Manage panel
5. Click on Add a Permission in the center panel
6. Choose Microsoft Graph under Microsoft APIs
7. Choose Delegate Permissions as the Request Type
8. From the list of permissions you will need:
   User.Read, Everything under FILES and OpenId.offline_access
9. Click Grant Admin Consent.

Define the level access required by the connector. The following scopes are supported by the Microsoft OneDrive connector:

• Files.ReadWrite.Selected Files.ReadWrite.AppFolder Files.ReadWrite.All Files.ReadWrite Files.Read.Selected Files.Read.All Files.Read offline_access

The offline_access scope is required at minimum.

Enabling Security

1. Login to your Microsoft Azure Portal: https://azure.microsoft.com/en-us/account/
2. Navigate into your Azure Active Directory services
3. Click on Enterprise Applications under Manage
4. Select your application from the list to start the edit process. If your application is not listed by default, click on All Applications under manage
5. Click on Properties under Manage
6. On the properties screen set the following properties to allow use of the API access created above:

   1. Enabled for users to sign-in? = Yes

   2. User assignment required? = Yes

   3. (Optional) Visible to users? = No

7. Next click on Users and Groups under manage
8. Through standard Azure AD processes, add your users as necessary.  This is the list of users that are allowed to use OneDrive and have a proper Microsoft OneDrive license.

Set up the Microsoft OneDrive connector

Note: To make the connector available for use in your organization's chains, an org security administrator first enables it from Configuration.

1. From Chain Builder, click Connections  compare_arrows, and then Create at the top right.
2. Under Connector Connection, select Microsoft OneDrive and the default CloudRunner.
   
3. Under Basic Info, enter a unique name and description to help identify the connector.
4. Under OAuth, enter the OAuth client ID and secret for the connector's Azure application.
   
5. To determine the connector's level of access, enter the Azure application's authentication scope.
   • At minimum, the offline_access scope is required.
6. To authorize the connection and OAuth credentials, click Connect.
7. Under Properties, enter the connection's details:
   
   

   Property	Details
   Drive type	Select the type of drive to connect to, such as Drive, Group, User, or Site. To connect to your own user drive, select Current User (Me).
   Drive type ID	Enter the ID of the drive to connect to, based on Drive type. For example, if Drive type is User, enter the user ID; if Site, the site ID.

   Note: You can use Microsoft's Graph Explorer (external link) to retrieve these from Sharepoint.

8. Select the environments to use with the connection, and click Save.
9. To test the connection, create and run a chain with the connector's Download File command, and verify it returns a valid output.

Troubleshooting

If the connection to Microsoft OneDrive or SharePoint fails:

• Verify the OAuth credentials of the connector's Azure application.
• Check the drive type and ID entered for the connector. You can use Microsoft's Graph Explorer (external link) to retrieve these from Sharepoint.
• Verify the project's redirect URI:
  
  • PROD: https://h.app.wdesk.com/s/wdata/oc/app/oauth/callback
  • EU: https://h.eu.wdesk.com/s/wdata/oc/app/oauth/callback
  • APAC: https://h.apac.wdesk.com/s/wdata/oc/app/oauth/callback