Skip to main content
The Glean OneDrive connector enables organizations to securely and efficiently index and search content stored in Microsoft OneDrive. The connector ensures that document-level permissions and security controls from OneDrive are strictly enforced within Glean, allowing only authorized users to access items via search.

Supported features

The connector supports indexing core content and ensuring permission fidelity for OneDrive’s user drives.

Supported objects

  • Folders (OneDrive personal folders)
  • Documents (all document types, e.g., Word, Excel, PowerPoint, PDF)
  • OneNote (limited support: indexing Notebooks and Sections)
  • Metadata and permissions for all documents
  • Content from both personal and shared drives (as applicable)
  • Incremental identity crawls

Supported API endpoints

  • Microsoft Graph API v1.0 (primary for content and metadata ingestion), using the current Microsoft Graph API SDK v5.30.0.
  • Webhook subscriptions for drive change notifications (upload, modify, delete, permission change)
  • Full and incremental crawl modes (using Graph API delta queries)

Limitations

  • The connector, by default, crawls all personal folders for users in the organization, but can be restricted to nominated users/groups.
  • Some advanced permissions (like Sites.Selected) have trade-offs, e.g., the need for explicit site addition and deletion for activities and permissions (updated every 24 hours instead of near real-time).
  • OneNote support is limited to Notebooks and Sections.

Requirements

This section outlines the technical, credential, and permission setup requirements for the OneDrive connector.

Technical requirements

  • Microsoft 365 tenant with OneDrive for Business enabled.
  • Global (tenant) administrator access for both Azure/Entra ID and SharePoint admin portals.
  • The system must subscribe to OneDrive webhook events to ensure timely updates for changes or deletions.
  • To limit index scope, specify allowed user groups (by Azure AD group ID) or individual users.

Credential requirements

  • App Registration in Azure for each Glean deployment (per-environment).
  • Application secret or certificate/private key to authenticate the connector.
  • Credentials for service principals with permissions outlined in the “Permission Requirements” section.

Permission requirements

Required permissions (must be granted as application permissions; delegated permissions are not supported):
  • Files.ReadWrite.All: Enables content indexing and management of webhook subscriptions for OneDrive updates.
  • User.Read.All: Allows Glean to enumerate tenant users and align OneDrive/SharePoint identities with Glean profiles for permission mapping.
  • Sites.FullControl.All (for advanced features or granular security management; required to pick up permissions changes, see the Microsoft Graph API documentation).
  • Other permissions: GroupMember.Read.All, Member.Read.Hidden (if group/hidden membership-based access is required), Reports.Read.All (for reporting on crawl activity and scaling infrastructure).
  • Permission Grant: Assign the necessary application-level permissions, and “Admin consent” must be granted by a Global Admin.

Permissions & security

  • Permission propagation logic: Document-level permissions from OneDrive are mapped one-to-one into Glean; search result visibility is strictly enforced by these mappings.
  • Security & compliance notes: All authentication uses secure OAuth 2.0 flows; admin consent is required; no delegated user privileges are used.

Native