Skip to content

Add OneDrive / SharePoint Account

Connect a Microsoft OneDrive for Business or SharePoint location to PlaidCloud Document. You register an Entra (Azure AD) application, choose how much of your tenant it can reach, and PlaidCloud uses it to read and write files.

Decide how much of your Microsoft 365 tenant the application can reach. This is the most important choice in the whole setup.

Model Graph application permission What the app can reach Choose when
Selected sites (recommended) Sites.Selected Only the specific sites you explicitly grant Any site holds sensitive data — payroll, HR, finance, PHI
All sites Sites.Read.All (read) or Sites.ReadWrite.All (read + write) Every site in the tenant No site is sensitive and you want the simplest setup

Most organizations should choose Selected. If even one site holds sensitive information, tenant-wide access exposes it. With Sites.Selected the application can reach nothing until an administrator grants it to each named site, so sites you never grant stay completely out of reach.

  1. Sign in to the Azure portal and go to Microsoft Entra IDApp registrations+ New registration.
  2. Enter a name (for example PlaidCloud).
  3. Under Supported account types, choose Accounts in this organizational directory only (single tenant — most common).
  4. Leave the Redirect URI blank and click Register.
  5. On the overview page, copy the Application (client) ID (your Client ID) and the Directory (tenant) ID (your Tenant ID).
  6. Go to Certificates & secrets+ New client secret, set a description and expiry, Add, and copy the secret Value immediately — it is not shown again.

Add exactly one Microsoft Graph Application permission, matching the access model you chose:

  • Selected sites: Sites.Selected
  • All sites: Sites.Read.All (read-only) or Sites.ReadWrite.All (read + write)

Steps: API permissions+ Add a permissionMicrosoft GraphApplication permissions → add the one permission above → Grant admin consent.

If you chose All sites, your setup is done — skip to Add the Account in PlaidCloud. If you chose Selected sites, grant the app to each site next.

Grant the App Access to Each Site (Selected Model)

Section titled “Grant the App Access to Each Site (Selected Model)”

Sites.Selected grants the application no access on its own — a SharePoint or Global administrator must grant it to each site you want it to reach. There is no admin-center screen for this, so you use two Microsoft Graph calls in Graph Explorer. Because you grant sites one at a time, sensitive sites simply are never granted.

One-time setup. In Graph Explorer, signed in as a SharePoint/Global administrator, open the Modify permissions tab and click Consent on Sites.FullControl.All (this scope is what lets you set site grants). If a later query returns accessDenied, this consent is what’s missing — sign out and back in after consenting to refresh the token.

List the sites in your tenant (method GET):

GET https://graph.microsoft.com/v1.0/sites?search=*&$select=displayName,webUrl,id

Or resolve a single site directly by its URL:

GET https://graph.microsoft.com/v1.0/sites/contoso.sharepoint.com:/sites/TeamName

Copy the site’s id from the response — it has the form contoso.sharepoint.com,<guid>,<guid>.

Set the method to POST against that site’s permissions collection (paste the id from Step 1):

POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions

On the Request body tab, paste the following — set roles to ["read"] or ["write"], and use your app’s Application (client) ID:

{
"roles": ["read"],
"grantedToIdentities": [
{ "application": { "id": "your-client-id", "displayName": "PlaidCloud" } }
]
}

Run the query. A success returns a permission object with an id and your roles. Repeat Step 2 for each site you want PlaidCloud to reach. To review what a site has granted:

GET https://graph.microsoft.com/v1.0/sites/{site-id}/permissions
  1. Sign into PlaidCloud and select the workspace where the account will reside.
  2. Go to DocumentManage Accounts+ New Account.
  3. Choose OneDrive as the Service.
  4. Enter a name and description, and choose a Security Model (leave Private if unsure).
  5. Under Auth Credentials, paste the Client ID, Client Secret, and OneDrive Tenant ID from the app registration.
  6. In SharePoint Site URL, paste the URL of a site the app has been granted (for example https://contoso.sharepoint.com/sites/TeamName). The Drive/Site list then shows that site’s document libraries — pick the one to use as the account’s root. This fills in the Start Path.
  7. Select Save.