Connect Microsoft OneDrive

This page describes how to connect Microsoft OneDrive to Agentspace. The connector supports both data ingestion and federated search. See the following section for the approach you plan to use:

Connect Microsoft OneDrive (data ingestion)

Use the following procedure to sync data from OneDrive.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Limitations

Incremental sync does not detect folder-level actions like Copy, Move, or Rename.

Before you begin

Before setting up your connection:

  1. Set up access control for your data source. For information about setting up access control, see Use data source access control.

  2. To obtain the client ID and client secret, do the following:

    1. Create an Entra ID application:

      1. Sign in to Microsoft Entra administrator center and click Application.
      2. In the Application drop-down list, click App registrations.
      3. In the App registrations page, click New registration.
      4. Click Add new registration and do the following:
        • Enter a name for the application.
        • Under Supported account types, select Accounts in the organizational directory only.
        • Under Redirect URI, add a web redirect URI pointing to https://vertexaisearch.cloud.google.com/console/oauth/sharepoint_oauth.html.
      5. Click Register.

      register-api-client-form
      Register API client form

    2. Save credentials:

      On your registered application window, save the following values for later use:

      1. Use the Application (client) ID to set the Client ID parameter.
      2. Use the Directory (tenant) ID to set the Azure Tenant parameter.

      save-credentials
      Save credentials

    3. Create client secret:

      1. Navigate to Certificates & secrets and create a new client secret:
      2. Click New client secret and specify the required duration.
      3. Click Add.

      add-client-secret
      Add client secret
      1. Save the client secret and copy the key value for later use.

Configure API permissions

To configure APi permissions, use one of the following options:

  1. Manual assignment:

    1. Open API permissions for the app.

    api-permissions
    API permissions

    1. Add the following permissions and grant admin consent to all permissions.

      Permission Type Description
      Files.Read.All Application Read files in all site collections
      Group.Read.All Application Read all groups
      User.Read.All Application Read all users' full profiles

  2. Manifest file:

    1. Go to the Manifest tab.

    2. Delete the contents between [ and ] under requiredResourceAccess.

      manifest-file
      Edit the manifest file

    3. Paste the following JSON between the brackets.

      {
 "resourceAppId": "00000003-0000-0000-c000-000000000000",
 "resourceAccess": [
   {
     "id": "01d4889c-1287-42c6-ac1f-5d1e02578ef6",
     "type": "Role"
   },
   {
     "id": "5b567255-7703-4780-807c-7be8301ae99b",
     "type": "Role"
   },
   {
     "id": "df021288-bdef-4463-88db-98f22de89214",
     "type": "Role"
   }
 ]
}

    4. Return to API permissions.

    5. Confirm all required permissions are present.

    6. Grant administrator consent.

Get the instance URL

Use the OneDrive root URL to get the instance URL. For more information, see OneDrive URLs documentation.

Create a OneDrive connector

Console

To use the Google Cloud console to sync data from OneDrive to Agentspace, follow these steps:

  1. In the Google Cloud console, go to the Agentspace page.

    Agentspace

  2. In the navigation menu, click Data stores.

  3. Click Create data store.

  4. On the Select a data source page, scroll or search for OneDrive to connect your third-party source.

  5. Enter your OneDrive authentication information.

  6. Select the following entities to sync:

    • File

  7. To filter entities out of the index or ensure that they are included in the index, click Filter.

    • fileName matches the filename only.
    • filePath must be a full Microsoft Graph API path, usually prefixed with /drive/root:. For example, if the OneDrive direct link is https:/example-my.sharepoint.com/personal/user_example_com/Documents/folder1/folder2, then filePath is /drive/root:/folder1/folder2.

    onedrive-filters
    Specify filters to include or exclude entities

  8. Click Continue.

  9. Select the Sync frequency for Full sync and the Incremental sync frequency for Incremental data sync. For more information, see Sync frequency.

    If you want to schedule separate full syncs of entity and identity data, expand the menu under Full sync and then select Custom options.

    Custom options for full data sync.
    Setting separate schedules for full entity sync and full identity sync.

  10. Select a region for your data store.

  11. Enter a name for your data store.

  12. Click Create. Agentspace creates your data store and displays your data stores on the Data stores page.

  13. To check the status of your ingestion, go to the Data stores page and click your data store name to see details about it on its Data page. The Connector state changes from Creating to Running when it starts synchronizing data. When ingestion is complete, the state changes to Active to indicate that the connection to your data source is set up and awaiting the next scheduled synchronization.

    Depending on the size of your data, ingestion can take minutes or hours.

Enable real-time sync

To enable real-time sync for your data store, follow these steps.

  1. In the Google Cloud console, go to the Agentspace page.

    Agentspace

  2. In the navigation menu, click Data stores.

  3. Click the name of the OneDrive data store for which you want to enable real-time sync.

  4. On the data store Data page, wait until the Connector state changes to Active.

  5. In the Real-time sync field, click View/edit.

    View and edit real-time sync settings
    View and edit real-time sync settings.

  6. Click the Enable real-time sync toggle to the on position.

  7. Provide a value for Client secret. This value is used to verify OneDrive webhook events. We recommend using a string of 20 characters.

    Enable real-time sync and provide a client secret
    Enable real-time sync and provide a client secret.

  8. Click Save.

    Wait for the Real-time sync field to change to Running.

Error codes

The following table lists OneDrive error codes and descriptions.

Error code Description
ONEDRIVE_MISSING_PERMISSION_1 The application does not have a required Files.Read.All role for Graph API.
ONEDRIVE_MISSING_PERMISSION_2 The application does not have a required Group.Read.All role for Graph API.
ONEDRIVE_MISSING_PERMISSION_3 The application does not have a required User.Read.All role or User.ReadBasic.All role for Graph API.
ONEDRIVE_INVALID_SITE_URI The instance URL is invalid.
ONEDRIVE_INVALID_AUTH Error when retrieving Graph API access token. This may be due to an invalid client id, secret value, or missing federated credentials.
ONEDRIVE_UNCATEGORIZED_ERROR Invalid or no ACL is present in file.
ONEDRIVE_TOO_MANY_REQUESTS Too many HTTP requests are sent to OneDrive. Received HTTP 429 response.

Next steps

Use the following procedure to search your Microsoft OneDrive account using federated search.

You can use federated search connectors to send your queries to third-party search APIs instead of ingesting and indexing all data into Agentspace. Using this approach, you can access external data sources immediately, without waiting for ingestion.

However, this approach might not be suitable in all scenarios. While federated search is quick to set up, it has the following limitations:

  • Compared to indexed data, federated search may deliver lower-quality results.
  • Federated search may introduce higher latency, because it depends on the third-party search API.
  • Not all connectors support federated search.

Before you begin

Perform the following steps before connecting to your Microsoft OneDrive data store using federated search.

  1. Register Agentspace as an OAuth 2.0 application in Microsoft Entra ID. Copy the following credentials:

    • Client ID
    • Client secret
    • Tenant ID

  2. Configure the following Microsoft Graph application permissions with the consent of a Microsoft OneDrive administrator:

    Permission

    Type

    Description

    Files.Read.All

    Delegated

    Read all files that user can access

    Sites.Read.All

    Delegated

    Read items in all site collections

  3. Add the following URLs as web callback URLs:

    • https://vertexaisearch.cloud.google.com/console/oauth/default_oauth.html
    • https://vertexaisearch.cloud.google.com/oauth-redirect

Create a federated search connector with OneDrive

Use the following steps for Google Cloud console to perform federated search through Microsoft OneDrive from Agentspace.

  1. In the Google Cloud console, go to the Agentspace page.

    Agentspace

  2. In the navigation menu, click Data stores.

  3. Click Create data store.

  4. On the Select a data source page, select OneDrive Federated Search to connect your third-party data source.

  5. Under Authentication settings:

    1. Enter the Client ID, Client secret, and Tenant ID.

    2. Click Login.

    3. Click Continue.

    Log in using OAuth 2.0 credentials
    Sign in using the copied OAuth 2.0 credentials

    Note: The next step (selecting entities to sync) will be skipped automatically, because this data source supports only one entity type.

  6. Select a region for your data source.

  7. Enter a name for your data source.

  8. Click Create. Agentspace creates your data store and displays it on the Data stores page.

Once the data store is created, go to the Data stores page and click your data store name to see the status. When the Connector state changes from Creating to Active, the federated search connector is ready to be used.

User authorization

After creating a federated search data store, you see it listed as one of the data sources in your source management panel. If you haven't previously authorized Agentspace, then you can't select the data source. Instead, an Authorize button appears.

To initiate the authorization flow:

  1. Click Authorize. You are redirected to the OneDrive authorization server.

  2. Sign in to your account.

  3. Click Grant access. After granting access, you are redirected back to Agentspace to complete the authorization flow. Agentspace obtains the access token and uses it to access the Microsoft OneDrive search.

Query execution

After you authorize Microsoft OneDrive, when you enter a search query:

  1. Agentspace sends your search query to the Microsoft Graph API.

  2. Agentspace blends the results with those from other sources and displays them.

Data handling

When using third-party federated search, your query string is sent to the third-party search backend. These third parties may associate queries with your identity. If multiple federated search data sources are enabled, the query might be sent to all of them.

Once the data reaches the third-party system, it is governed by that system's terms of service and privacy policies.