Note: This documentation applies to the Standard, Plus, and Frontline editions of Gemini Enterprise. For information about the Business edition, see the Gemini Enterprise - Business edition Help Center.

Microsoft OneDrive configuration

This page describes how to set up and configure a third-party configuration before creating the OneDrive data store.

Set up authentication and permissions

You must set up authentication and permissions in Microsoft 365. This is crucial for allowing the connector to access and synchronize data. The OneDrive connector supports various authentication methods, such as OAuth client credentials or API tokens.

Register Microsoft Entra app for Microsoft OneDrive connector

You must set up an Entra application registration to enable secure access to Microsoft OneDrive before you can create the connector in Gemini Enterprise.

To register Gemini Enterprise as an OAuth 2.0 application in Entra, do the following:

Navigate to Microsoft Entra admin center.
In the navigation menu, expand the Entra ID and select App registrations.
On the App registrations page, click New registration.
On the Register an application page, do the following:
1. In the Name field, enter a name for your app.
2. In the Supported account types section, select Accounts in this organizational directory only.
3. In the Redirect URI section, do the following:
  1. In the platform list, select Web.
  2. In the redirect URI field, enter https://vertexaisearch.cloud.google.com/console/oauth/default_oauth.html.
4. Click Register. Microsoft Entra creates your app and displays the overview page of your app.
In the app navigation menu, click Authentication.
Click Add redirect URI.
In the platform selection pane, do the following:
1. Select Web.
2. In the Redirect URI field, enter https://vertexaisearch.cloud.google.com/oauth-redirect.
3. Click Configure.

Add federated credential for data ingestion

If you are using Data ingestion as the connection mode and Federated credentials as authentication method, then do the following:

In the app navigation menu, click Certificates & secrets.
Select the Federated credentials tab.
Click Add credential.
Select Other issuer from the Federated credential scenario list.
In the Issuer field, enter https://accounts.google.com.
In the Subject identifier field, enter the value that you get from the Google Cloud console. This value is generated during the Microsoft OneDrive data store creation in the data section.
In the Name field, enter a unique label for the federated credential.
Click Add to grant access.

Create an OAuth 2.0 configuration

To create a connection using the OAuth 2.0 authentication method, you need to obtain a client ID, client secret, and your Tenant ID from your Microsoft Entra application registration page.

Obtain client ID and client secret

To obtain the client ID, do the following:
1. In the app navigation menu, select Overview.
2. Copy the Application (client) ID.
To obtain the client secret for the app, do the following:
1. In the app navigation menu, select Certificates & secrets.
2. Click New client secret.
3. In the client secret pane, do the following:
  1. In the Description field, enter a description for the secret.
  2. In the Expires list, select an expiry duration.
  3. Click Add.
4. Copy the client secret from the Value column.

Obtain Tenant ID

Your tenant ID can be found in the Tenant ID box on the overview page in the Microsoft Entra admin center.

Configure Microsoft API permissions

To configure the required API permissions for the app, do the following:

Navigate to the app page.
In the app navigation menu, select API permissions.
Click Add permissions.
In the Request API permissions pane, select Microsoft Graph.
Search for and select the following permissions based on your connection mode:

Connection mode	Type	Scope	Purpose
Federated search	Delegated	`Files.Read.All`	Allows the data store to read all files that the user can access.
	Delegated	`Sites.Read.All`	Allows the data store to read documents and list items in all site collections that the user can access.
	Application	`User.Read.All`	Allows the data store to resolve user drive locations for content discovery.
Data ingestion	Application	`Files.Read.All`	Allows the data store to read and synchronize files across the organization without a signed-in user.
	Application	`Group.Read.All`	Allows the data store to read properties and memberships of all groups.
	Application	`GroupMember.Read.All`	Allows the data store to read memberships for all groups to manage access control (ACL) syncing.
	Delegated	`User.Read`	Allows the data store to read the profile and basic company information of signed-in users.
	Application	`Sites.FullControl.All`	Allows full control of all site collections.
	Application	`Sites.Selected`	Allows access to a specific subset of site collections.
	Federated credentials only	`User.Read.All`	Allows the data store to read user profiles.
	Delegated	`User.ReadBasic.All`	Allows reading a basic set of profile properties for users in the organization.
Actions	Delegated	`Files.ReadWrite.AppFolder`	Allows the data store to read, create, update and delete files in the Microsoft OneDrive folder.
Actions	Delegated	`Files.ReadWrite`	Allows the data store to read, download, create, upload, update, and delete the files that the user can access.

Click Add Permissions.

Microsoft OneDrive configuration Stay organized with collections Save and categorize content based on your preferences.