Skip to content

05-onedrive-setup.md

Latest commit

 

History

History
273 lines (181 loc) · 5.76 KB

05-onedrive-setup.md

File metadata and controls

273 lines (181 loc) · 5.76 KB

OneDrive Setup Guide

Connect D3PA to Microsoft OneDrive for file access.

Overview

This guide covers:

  1. Creating an Azure AD app registration
  2. Configuring permissions for OneDrive
  3. Setting up authentication
  4. Testing the connection

Time needed: 20-30 minutes

Prerequisites

You'll need:

  • A Microsoft 365 account (university or work account)
  • Access to Azure Portal (usually via your organization)
  • Admin consent may be required for some permissions

Step 1: Create App Registration

1.1 Go to Azure Portal

  1. Open portal.azure.com
  2. Sign in with your Microsoft 365 account
  3. Search for App registrations and click it

1.2 Create New Registration

  1. Click New registration
  2. Fill in details:
    • Name: D3PA OneDrive
    • Supported account types: "Accounts in this organizational directory only"
    • Redirect URI: Select "Web" and enter http://localhost:8000/callback
  3. Click Register

1.3 Note Your IDs

After creation, you'll see:

  • Application (client) ID: Copy this
  • Directory (tenant) ID: Copy this

Step 2: Create Client Secret

2.1 Generate Secret

  1. Go to Certificates & secrets
  2. Click New client secret
  3. Enter description: D3PA secret
  4. Choose expiration (recommended: 12 months)
  5. Click Add

2.2 Copy Secret Value

Important: Copy the Value immediately - it won't be shown again!

Step 3: Configure API Permissions

3.1 Add Permissions

  1. Go to API permissions
  2. Click Add a permission
  3. Select Microsoft Graph
  4. Choose Delegated permissions
  5. Add these permissions:
Permission Purpose
Files.Read Read user's files
Files.Read.All Read all files user can access
User.Read Read user profile

Optional permissions:

Permission Purpose
Files.ReadWrite Read and write files
Sites.Read.All Read SharePoint sites

3.2 Grant Admin Consent

If you see a warning about admin consent:

  1. Click Grant admin consent for [Your Organization]
  2. Click Yes to confirm

If you don't have admin rights, ask your IT administrator.

Step 4: Save Configuration

Add to your .env file:

MICROSOFT_CLIENT_ID=your-application-id
MICROSOFT_CLIENT_SECRET=your-secret-value
MICROSOFT_TENANT_ID=your-tenant-id

Step 5: First-Time Authentication

The first time you use OneDrive tools, you'll need to authenticate.

5.1 Run the Auth Script

python -c "from src.integrations.onedrive_client import OneDriveClient; OneDriveClient().authenticate()"

5.2 Browser Authentication

  1. A browser window will open
  2. Sign in with your Microsoft account
  3. Approve the permissions
  4. You'll be redirected to localhost
  5. The token will be saved automatically

Step 6: Test the Connection

6.1 List Files

from src.integrations.onedrive_client import OneDriveClient

client = OneDriveClient()
files = client.list_files()
print(files)

6.2 Test via Slack

Send a message to your bot:

  • "List my OneDrive files"
  • "Search for budget.xlsx in OneDrive"

Troubleshooting

"AADSTS50011: Reply URL does not match"

The redirect URI doesn't match:

  1. Go to App registrations → Your app → Authentication
  2. Add or update the redirect URI to match your callback URL
  3. Save changes

"AADSTS65001: User hasn't consented"

Admin consent is needed:

  1. Ask your IT admin to grant consent
  2. Or go to API permissions → Grant admin consent

"InvalidAuthenticationToken"

Token expired or invalid:

  1. Delete the cached token: rm ~/.d3pa_token.json
  2. Run authentication again
  3. Check that your client secret hasn't expired

"Access denied" when accessing files

  1. Check you have the right permissions configured
  2. Make sure admin consent was granted
  3. Verify the file/folder isn't restricted

Advanced: Application Permissions

For server-side access without user login:

Change Permission Type

  1. Go to API permissions
  2. Add permissions as Application permissions instead of Delegated
  3. Grant admin consent

Application Permissions Needed

Permission Purpose
Files.Read.All Read all files in the organization
Sites.Read.All Read all SharePoint sites

Authenticate with Client Credentials

from msal import ConfidentialClientApplication

app = ConfidentialClientApplication(
    client_id=settings.microsoft_client_id,
    client_credential=settings.microsoft_client_secret,
    authority=f"https://login.microsoftonline.com/{settings.microsoft_tenant_id}"
)

result = app.acquire_token_for_client(scopes=["https://graph.microsoft.com/.default"])
token = result["access_token"]

API Reference

List Files

GET /me/drive/root/children

Search Files

GET /me/drive/root/search(q='{query}')

Read File Content

GET /me/drive/items/{item-id}/content

Get File Metadata

GET /me/drive/items/{item-id}

OneDrive Tools Available

After setup, these tools are available:

Tool Description
search_onedrive Search files by name or content
list_onedrive_folder List files in a folder
read_onedrive_file Read file contents

Security Notes

  1. Never commit secrets - Keep .env out of git
  2. Rotate secrets - Update client secret before expiration
  3. Minimal permissions - Only request what you need
  4. Token storage - Tokens are stored locally, keep them secure

Next Steps

With OneDrive connected:

  1. Try the file tools: "Search for meeting notes"
  2. Build custom tools using the OneDrive client
  3. See Building Tools for examples