Microsoft OneDrive configuration

This page describes how to set up and configure a third-party configuration before creating the OneDrive data store.

Set up authentication and permissions

You must set up authentication and permissions in Microsoft 365. This is crucial for allowing the connector to access and synchronize data. The OneDrive connector supports various authentication methods, such as OAuth client credentials or API tokens.

Register Microsoft Entra app for Microsoft OneDrive connector

You must set up an Entra application registration to enable secure access to Microsoft OneDrive before you can create the connector in Gemini Enterprise.

To register Gemini Enterprise as an OAuth 2.0 application in Entra, do the following:

  1. Navigate to Microsoft Entra admin center.
  2. In the navigation menu, expand the Entra ID and select App registrations.
  3. On the App registrations page, click New registration.

  4. On the Register an application page, do the following:

    1. In the Name field, enter a name for your app.
    2. In the Supported account types section, select Accounts in this organizational directory only.
    3. In the Redirect URI section, do the following:
      1. In the platform list, select Web.
      2. In the redirect URI field, enter https://vertexaisearch.cloud.google.com/console/oauth/default_oauth.html.
    4. Click Register. Microsoft Entra creates your app and displays the overview page of your app.

  5. In the app navigation menu, click Authentication.

  6. Click Add redirect URI.

  7. In the platform selection pane, do the following:

    1. Select Web.
    2. In the Redirect URI field, enter https://vertexaisearch.cloud.google.com/oauth-redirect.
    3. Click Configure.

Create an OAuth 2.0 configuration

To create a connection using the OAuth 2.0 authentication method, you need to obtain a client ID, client secret, and your Tenant ID from your Microsoft Entra application registration page.

Obtain client ID and client secret

  1. To obtain the client ID and secret for the app, do the following:

    1. Navigate to the app page.
    2. In the app navigation menu, select Certificates & secrets.
    3. Click New client secret.
    4. In the client secret pane, do the following:
      1. In the Description field, enter a description for the secret.
      2. In the Expires list, select an expiry duration.
      3. Click Add.
    5. Copy the secret displayed in the Value column (Client Secret) and the identifier in the Secret ID column (Client ID), and securely store both for later use.

Obtain Tenant ID

Your tenant ID can be found in the Tenant ID box on the overview page in the Microsoft Entra admin center.

Configure Microsoft API permissions

To configure the required API permissions for the app, do the following:

  1. Navigate to the app page.

  2. In the app navigation menu, select API permissions.

  3. Click Add permissions.

  4. In the Request API permissions pane, select Microsoft Graph.

  5. Search for and select the following permissions based on your connection mode:

    Connection mode Scope Purpose
    Federated search Files.Read.All (Delegated) Allows the connector to read all files that the user can access.
    Sites.Read.All (Delegated) Allows the connector to read documents and list items in all site collections that the user can access.
    Data ingestion GroupMember.Read.All (Federated credentials & OAuth 2.0 refresh token) Allows the connector to read memberships and basic group properties for all groups without a signed-in user.
    User.Read (Federated credentials & OAuth 2.0 refresh token) Allows the connector to read the profile of signed-in users. It also allows the connector to read basic company information of signed-in users.
    User.Read.All (OAuth 2.0 refresh token only) Allows the connector to read user profiles.
    Sites.FullControl.All (Option 1)
    Sites.Selected (Option 2)    		 (Federated credentials & OAuth 2.0 refresh token) Option 1 allows the connector to have full control of all site collections. Option 2 allows the connector to access a subset of site collections. The specific site collections and the permissions granted can be configured in Microsoft OneDrive.
    User.Read.All (Option 1)
    User.ReadBasic.All (Option 2)    		 (Federated credentials only) Option 1 allows the connector to read user profiles. Option 2 allows the connector to read a basic set of profile properties of other users in the organization.
    Actions Files.ReadWrite.AppFolder (Delegated) Allows the connector to read, create, update and delete files in the Microsoft OneDrive folder.
    Files.ReadWrite (Delegated) Allows the connector to read, create, update and delete the files that the user can access.

  6. Click Add Permissions.