Configuring Microsoft OneDrive for Business or SharePoint Online with user based access

To configure OneDrive/SharePoint with user-based access, the following steps are needed.

• Register new application in Microsoft Azure. 
• Create a new client secret. 
• Update configuration in the management interface.

Steps are described in more detail in the chapters below.

In case you have any troubles, please refer to the troubleshooting section of the edit connector documentation.

For more information on registering applications, see https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app.

Registering new application

1. Go to the Microsoft Azure portal https://portal.azure.com/
2. Login with Microsoft account that will be used for application registration.
3. If you have logged into the Microsoft Azure portal for the first time, you will need to configure your subscription first. 
4. Click on the Azure Active Directory.
   
   

   

5. In the Azure Active Directory, we can see Tenant ID – this ID will be later used on the Configuration page in the management interface. Save this ID for later and proceed to the App registration.
   

   

   
   
   
6. Create new registration.
   

   

7. Fill in 
   • Application name e.g. "OneDrive Scanning" resp. "SharePoint Scanning".
   • Supported account types select an option according to customer needs. If the application is created only for one customer, the first option is enough.
   • Redirect URI select Web and in the text box fill in the address where the application requesting the authorization is accessible e.g. https://<Management Service URL>/oauth2/client/onedrive/user-authorize-callback (for OneDrive) resp. https://<Management Service URL>/oauth2/client/sharepoint/user-authorize-callback (for SharePoint). Ensure the Management Service URL is accessible. 
   • Click  Register
     
     

   

   
   
   
8. A new application will be created. On the Overview page, we can see Application (client) ID, save this value for later. Application (client) ID will be used on the Configuration page in the management interface.
   
   

   

Creating client secret

Prerequisite: Follow instructions for Registering new application.

1. Make sure you are in the correct application.
2. Navigate to the Certificates & secrets using the sidebar menu.
3. Click on New client secret.
   
   

   

4. Fill in
   • Description e.g. OneDrive resp. SharePoint
   • Expires select expiration time of the secret
   • Click Add
     
     

   

   
   
5. A new client secret will be created. Copy your secret value to some temporary file as you will be not able to view it after you leave this page. Client secret will be later filled on the Configuration page in the management interface.
   
   

   

Updating the configuration in the management interface

Prerequisite: Follow instructions for Registering new application, Creating client secret

1. Log in to the management interface using an account with administrator rights.
2. Navigate to System > Configuration.
3. Change the settings level to EXPERT.
4. Configure "managementServiceUrl", Management Service URL needs to match the URI filled in Azure Application registration
   

   

5. Fill in "onedriveOAuth2ClientId" (for OneDrive) resp. "sharepointOAuth2ClientId" (for SharePoint) configuration with Application (client) ID obtained from application registration
   

   

6. Fill in "onedriveOAuth2ClientSecret" (for OneDrive) resp. "sharepointOAuth2ClientSecret" (for SharePoint) configuration with Client secret obtained from creating client secret
   

   

7. Check "onedriveOAuth2Scopes" configuration is set to Files.ReadWrite (for OneDrive) resp. "sharepointOAuth2Scopes" configuration is set to Sites.ReadWrite.All (for SharePoint). The offline_access scope is also recommended, it eliminates necessity of repeated authorizations. 
   

   

Requirements

Scanning to SharePoint Online resp. OneDrive Business requires internet access. Here is the list of application and URLs that needs to be accessible to make the authorization and scanning work.

Management requires access to these URLs:

• https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
• https://login.microsoftonline.com/organizations/oauth2/v2.0/token

Workflow processing service (WPS) requires access to this base URL:

• https://graph.microsoft.com/v1.0/

Azure Governmental deployments (also known as Office 365 GCC / GCC High)

Only OneDrive is supported on Office 365 GCC environments

Azure Governmental deployments use different URLs in the OAuth 2.0 communication. In order to be able to deliver scanned documents into a OneDrive account which is hosted in the Azure Governmental environment, you need to update few configuration properties in Management interface:

• microsoftLoginBaseUrl - Base URL for the Microsoft Login (by default is set to https://login.microsoftonline.com). Used to authorize the Management user to access Microsoft services and retrieve the access token.
  
• microsoftGraphBaseUrl - Base URL for the Microsoft Graph API (by default is set to https://graph.microsoft.com). Used to store documents in Microsoft services.

After updating this properties, you need to restart Management and Workflow Processing Service to apply the changes.