## Microsoft OneDrive integration Integrating Microsoft OneDrive with Frontegg allows your application to read and write files, manage folders, access shared files, and interact with user storage — all through Frontegg's integration layer using Microsoft OAuth 2.0 and the Microsoft Graph API. Prerequisites - A Microsoft account with access to the [Azure portal](https://portal.azure.com/) - An Azure Active Directory (Microsoft Entra ID) tenant ### Register an application in Azure #### Step 1: Go to App registrations Sign in to the [Azure portal](https://portal.azure.com/) and search for **App registrations** in the top search bar. Click **App registrations** in the results. ![App registrations page in Azure portal](/assets/microsoft-onedrive-1.ccd64126c70d6e3faad64e6e0e1247251b2e7b6a9cf29e00bbb2a72418fa19f0.1ce25488.png) #### Step 2: Register a new application Click **New registration** at the top of the page. Fill in the registration form: 1. Enter a name for your application (for example, `Frontegg Integration`). 2. Under **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra ID tenant — Multitenant)** for multi-tenant apps, or the appropriate option for your use case. 3. Under **Redirect URI**, select **Web** as the platform and enter your Frontegg MCP Gateway callback URL. 4. Click **Register**. ![New application registration form with name, account type, and redirect URI filled in](/assets/microsoft-onedrive-2.ee7428b2c789d1c5902ad1ebe1b7bfca0bb4a59f4fc7b6d6233f11861e35524e.1ce25488.png) #### Step 3: Copy the Application (client) ID and Directory (tenant) ID After registration, you are taken to the application overview page. Copy both the **Application (client) ID** and the **Directory (tenant) ID** — you will need them when configuring the Frontegg portal. ![Application overview page with Application ID and Directory ID highlighted](/assets/microsoft-onedrive-3.e4cc7df97d94fb24a3f2bf6c73386c70a33526c78d94570f6d9a573a1b9987a2.1ce25488.png) ### Create a client secret #### Step 4: Go to Certificates & secrets In the left sidebar, click **Certificates & secrets**, then click **New client secret**. ![Certificates and secrets page with New client secret button highlighted](/assets/microsoft-onedrive-4.4d5c34390e0ac91ef33c8a26cb166e2e029d2c9e8e5818aec9de56804c2de84b.1ce25488.png) #### Step 5: Add a description and expiry In the **Add a client secret** panel, enter a description (for example, `Frontegg Integration`) and choose an expiry period. Click **Add**. ![Add a client secret panel with description field filled in](/assets/microsoft-onedrive-5.5ffafd3acb835854ec3ab4aac12512bd29a12dbade581f07689ca018849eb027.1ce25488.png) #### Step 6: Copy the client secret value The new secret appears in the list. Copy the **Value** immediately — it is only shown once. After you navigate away, you cannot retrieve it again. Save your Client Secret now The Client Secret value is only displayed once. After you leave this page, you can only see the secret ID — not the value. Store the value securely before continuing. ![Client secret list showing the new secret with value blurred](/assets/microsoft-onedrive-6.6e9fb7ec0d6d3e90c1cbc749ff72a46a823e960ae830f858b13396a3a30576fc.1ce25488.png) ### Configure API permissions #### Step 7: Go to API permissions In the left sidebar, click **API permissions**, then click **Add a permission**. ![API permissions page with Add a permission button highlighted](/assets/microsoft-onedrive-7.3867975c98d041356e38c9cd418e8515860f911566438332c03c8504716fa295.1ce25488.png) #### Step 8: Select Microsoft Graph In the **Request API permissions** panel, click **Microsoft Graph**. ![Request API permissions panel with Microsoft Graph highlighted](/assets/microsoft-onedrive-8.119708644d038a87f7be657fe351b58f169aab049f0744f3705b3239f911a10a.1ce25488.png) #### Step 9: Select delegated permissions Click **Delegated permissions**. Search for `Files` and expand the **Files** group. Select the permissions your application requires, then click **Add permissions**. ![Delegated permissions list with Files.Read and Files.ReadWrite selected](/assets/microsoft-onedrive-9.3b4313d463a3f857dfd7f3ed20ae9433ad701621d287f20df0b0858a1a3fec21.1ce25488.png) #### Step 10: Verify configured permissions After adding permissions, the **API permissions** page shows all configured permissions under **Microsoft Graph**. ![API permissions page showing the configured Files and User.Read permissions](/assets/microsoft-onedrive-10.6ecc6cb25da2630e2062c498ff9be4ccef95514cf1bb8aefbe5952d89cf787fc.1ce25488.png) ### Configure the Frontegg portal Once you have your **Client ID**, **Client Secret**, and optionally the **Tenant ID**, enter them in the Frontegg portal: 1. Open the **Frontegg portal** and navigate to [ENVIRONMENT] → Integrations → Microsoft OneDrive. 2. Enter the **Client ID** and **Client Secret** in the corresponding fields. 3. Optionally, enter the **Directory (tenant) ID**. Leave blank or use `common` for multi-tenant applications. 4. Select the required **scopes**: | Scope | Description | | --- | --- | | `Files.Read` | Read the signed-in user's files | | `Files.ReadWrite` | Read, create, update, and delete the signed-in user's files | | `Files.Read.All` | Read all files the signed-in user can access | | `Files.ReadWrite.All` | Read, create, update, and delete all files the signed-in user can access | | `Files.Read.Selected` | Read files that the user selects (preview) | | `Files.ReadWrite.Selected` | Read and write files that the user selects (preview) | | `Files.ReadWrite.AppFolder` | Full access to the application's dedicated folder (preview) | 1. Click **Save**. Keep your credentials secure Never share or commit your Client Secret to version control. ### Additional resources - [Microsoft Graph Files API documentation](https://learn.microsoft.com/en-us/graph/api/resources/onedrive) - [Azure portal](https://portal.azure.com/) - [Microsoft identity platform and OAuth 2.0](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow) - [How to get your Redirect URL](/agen-for-work/connectors/redirect-url)