Create the data source Connector parameters Change the authentication method Next steps

Connect a OneDrive data source

After you set up authentication and store your credentials in an AWS Secrets Manager secret, create the OneDrive data source in your knowledge base. This page describes how to create the data source with the AWS Management Console or the API, followed by a reference for the connector parameters you can configure.

Note

Complete authentication setup first. See Set up Microsoft Entra App ID authentication for OneDrive (recommended) or Set up OAuth 2.0 authentication for OneDrive. You need the secret ARN, your tenant ID, and (for document-level access control) the Amazon S3 location of your certificate.

Create the data source

Console

To connect OneDrive to your managed knowledge base

Under Data source, provide a name for your data source.
Select OneDrive from the data source dropdown.
Under Source, enter your OneDrive Tenant ID.
Under Authentication, select Microsoft Entra ID App or OAuth 2.0 authentication.
Select or create an AWS Secrets Manager secret to store your credentials.
(Optional) To enable document-level access control, select Control document access with ACLs and provide the Certificate path — the Amazon S3 path to your .p12 certificate file. This option is available only with Microsoft Entra ID App authentication and cannot be changed after creation. For details, see Document-level access controls.
(Optional) Expand Sync scope to choose which content to crawl. With Microsoft Entra ID App authentication, only personal drives can be crawled.
(Optional) Expand User emails to add specific emails of users whose data you want to include or exclude.
(Optional) Expand File path filters to include or exclude specific files and folders.
(Optional) Expand Mime types regex pattern to add regex patterns to include or exclude specific MIME types.
(Optional) Expand Date based entity syncing to specify date filters.

API

To create a OneDrive data source, send a CreateDataSource request with an Agents for Amazon Bedrock build-time endpoint. The following AWS Command Line Interface example creates a data source that uses Microsoft Entra App ID authentication. To enable document-level access control, set aclEnabled to true and add a certificateS3Path to connectionConfiguration. For a description of each field, see the connector parameters reference that follows.


aws bedrock-agent create-data-source \
 --name "OneDrive-connector" \
 --knowledge-base-id "your-knowledge-base-id" \
 --data-source-configuration file://onedrive-managed-connector.json

The onedrive-managed-connector.json file contains the following:


{
    "type": "MANAGED_KNOWLEDGE_BASE_CONNECTOR",
    "managedKnowledgeBaseConnectorConfiguration": {
        "connectorParameters": {
            "type": "ONEDRIVE",
            "version": "1",
            "aclEnabled": false,
            "connectionConfiguration": {
                "secretArn": "arn:aws:secretsmanager:us-west-2:123456789012:secret:bedrock-onedrive-creds",
                "tenantId": "12345678-1234-1234-1234-123456789012",
                "authType": "ENTRA_APP_ID"
            },
            "dataEntityConfiguration": {
                "crawlPersonalDrives": true
            }
        }
    }
}

To enable document-level access control, set aclEnabled to true and add certificateS3Path to connectionConfiguration:


{
    "type": "ONEDRIVE",
    "version": "1",
    "aclEnabled": true,
    "connectionConfiguration": {
        "secretArn": "arn:aws:secretsmanager:us-west-2:123456789012:secret:bedrock-onedrive-creds",
        "tenantId": "12345678-1234-1234-1234-123456789012",
        "authType": "ENTRA_APP_ID",
        "certificateS3Path": {
            "s3BucketName": "your-certificate-bucket",
            "s3KeyName": "certs/certificate.p12"
        }
    },
    "dataEntityConfiguration": {
        "crawlPersonalDrives": true
    }
}

For an OAUTH2 data source, set authType to OAUTH2 and omit certificateS3Path.

For managed knowledge bases, CreateDataSource is asynchronous: the data source status transitions from CREATING to AVAILABLE when the operation completes.

Connector parameters

The data source configuration uses the following connector parameters. To connect to OneDrive, specify ONEDRIVE as the connector type in connectorParameters. For the fields that wrap connectorParameters (such as deletionProtectionConfiguration and mediaExtractionConfiguration), see Connect a data source.

connectionConfiguration
Field	Required	Description
`secretArn`	Yes	The ARN of the AWS Secrets Manager secret containing your OneDrive credentials.
`tenantId`	Yes	The Microsoft Entra (Azure AD) tenant ID.
`authType`	Yes	The authentication type: `ENTRA_APP_ID` (recommended) or `OAUTH2`. See Authentication methods.
`certificateS3Path`	Conditional	Required when `aclEnabled` is `true` (Microsoft Entra App ID authentication). Contains `s3BucketName` and `s3KeyName` for the `.p12` certificate file in Amazon S3. Not used for content-only crawling or with `OAUTH2`.

dataEntityConfiguration
Field	Required	Description
`crawlPersonalDrives`	No	Whether to crawl users' personal drives.
`crawlSharedWithMe`	No	Whether to crawl files shared with the signed-in user. Supported only with `OAUTH2` authentication. Microsoft Entra App ID (application-only) authentication cannot crawl shared files.

Note

OneNote notebooks are not currently supported.

filterConfiguration (optional)
Field	Required	Description
`inclusionUserEmailAddresses`	No	User email addresses whose drives to include.
`exclusionUserEmailAddresses`	No	User email addresses whose drives to exclude.
`userFilterPath`	No	An Amazon S3 URL pointing to a file that lists the users to include or exclude.
`inclusionDriveItems`	No	Drive item paths to include.
`exclusionDriveItems`	No	Drive item paths to exclude.
`includeMimeTypes`	No	MIME types to include.
`excludeMimeTypes`	No	MIME types to exclude.
`absoluteDateBefore`	No	Only include content modified before this date (ISO 8601).
`absoluteDateAfter`	No	Only include content modified after this date (ISO 8601).

Note

With OAUTH2 authentication the connector crawls in the signed-in user's delegated context. The user-based filters (inclusionUserEmailAddresses, exclusionUserEmailAddresses, userFilterPath) determine which users' drives the connector attempts; drives the signed-in user cannot access are silently skipped. To crawl every user's OneDrive in your tenant regardless of permissions, use ENTRA_APP_ID authentication.

aclEnabled (optional)
Field	Required	Description
`aclEnabled`	No	Set to `true` to enable document-level access control. Requires `ENTRA_APP_ID` authentication and a `certificateS3Path` in `connectionConfiguration`. You cannot change this setting after you create the data source. For details, see Document-level access controls.

Change the authentication method

You can change a data source's authentication method (for example, from OAuth 2.0 to Microsoft Entra App ID) by updating the data source with the new authType and credentials, using the UpdateDataSource operation or the AWS Management Console. The document-level access control setting is fixed when you create a data source, so to add or remove ACLs you must create a new data source.

Next steps

After you create the data source, sync it to ingest content into your knowledge base. For details, see Sync a data source. To filter query results by user permissions, see Document-level access controls.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Set up OAuth 2.0 authentication

Document-level access controls