View a markdown version of this page

Microsoft OneDrive - Amazon Bedrock
Supported featuresAuthentication methodsPrerequisitesHow to set up a OneDrive data source

Microsoft OneDrive

Microsoft OneDrive is a cloud storage service that lets you store, share, and collaborate on files. You can connect your OneDrive for Business instance as a data source for your managed knowledge base to crawl the personal drives of users in your Microsoft 365 tenant.

Supported features

  • Crawl users' personal drives. The set of drives crawled depends on the authentication method — see Authentication methods.

  • Automatic detection of common document fields (such as title, author, and created or modified dates)

  • Inclusion and exclusion content filters using user email addresses, drive item paths, MIME types, and date ranges

  • Incremental content syncs for added, updated, and deleted content

  • Microsoft Entra App ID and OAuth 2.0 authentication

  • Document-level access control (ACLs), with Microsoft Entra App ID authentication

Note

OneNote notebooks are not currently supported.

Authentication methods

A OneDrive data source supports two authentication methods. Choose one before you begin, because it determines the credentials you create and whether you can use document-level access control. We recommend Microsoft Entra App ID authentication for new data sources.

OneDrive authentication methods
Method How it authenticates When to use Setup
Microsoft Entra App ID (ENTRA_APP_ID) — recommended A Microsoft Entra application authenticates with an application client ID and secret, using the OAuth 2.0 client-credentials (application-only) flow. No user sign-in. When document-level access control is enabled, the application additionally authenticates to SharePoint with a certificate. Most data sources, and any data source that uses document-level access control. Set up Entra App ID authentication
OAuth 2.0 (OAUTH2) An application client ID and secret together with a delegated refresh token that you obtain through a user sign-in. The connector uses the refresh token to obtain access tokens for crawling. Use when a single Microsoft 365 user has access to all the OneDrive content you want to crawl — their own drive, plus any drives shared with them or where they have SharePoint admin access. Microsoft Entra App ID authentication is required to crawl every user's OneDrive in your tenant uniformly. Set up OAuth 2.0 authentication
Important

The OAUTH2 method requires a refresh token. Refresh tokens have a finite Microsoft-side lifetime and must be re-minted before they expire. OAUTH2 also does not support document-level access control. Use Microsoft Entra App ID authentication if you need document-level access control or you need to crawl every user's OneDrive in your tenant.

Prerequisites

In Microsoft 365, make sure you:

  • Copy your Microsoft 365 tenant ID. You can find your tenant ID in the Properties of your Microsoft Entra portal. For details, see Find your Microsoft 365 tenant ID on the Microsoft Learn website.

In your AWS account, make sure you:

How to set up a OneDrive data source

Setting up a OneDrive data source involves the following steps:

  1. Set up authentication. Follow the page for your chosen method to register a Microsoft Entra application, configure permissions, and store your credentials in AWS: Set up Microsoft Entra App ID authentication for OneDrive or Set up OAuth 2.0 authentication for OneDrive.

  2. Connect the data source. Create the OneDrive data source in the knowledge base using the AWS Management Console or the API. See Connect a OneDrive data source.

  3. (Optional) Enable document-level access control. Filter query results by each user's OneDrive permissions. See Document-level access controls.

If you run into problems during setup or syncing, see Troubleshoot a OneDrive data source.