OneDrive

​

Supported Features and Limitations

​

Supported Objects/Entities

• Folders (OneDrive personal folders)
• Documents (all document types, e.g., Word, Excel, PowerPoint, PDF)
• OneNote (limited support: indexing Notebooks and Sections)
• Metadata and permissions for all documents
• Content from both personal and shared drives (as applicable)

​

Supported API Endpoints/Features

• Microsoft Graph API v1.0 (primary for content and metadata ingestion)
• Webhook subscriptions for drive change notifications (upload, modify, delete, permission change)
• Full and incremental crawl modes (using Graph API delta queries)
• Support for incremental identity crawls

​

Limitations

• The connector, by default, crawls all personal folders for users in the organization, but can be restricted to nominated users/groups.
• Some advanced permissions (like Sites.Selected) have trade-offs, e.g., the need for explicit site addition and deletion for activities and permissions (updated every 24 hours instead of near real-time).
• OneNote support is limited to Notebooks and Sections.
• Indexing is limited to items under at most a default date range (first full crawl uses 365 days, subsequent crawls 180 days; configurable by Glean support).

​

Requirements

​

Technical Requirements

• Microsoft 365 tenant with OneDrive for Business enabled.
• Global (tenant) administrator access for both Azure/Entra ID and SharePoint admin portals.
• Supported platforms: There are no specific version or license tier requirements.

​

Credential Requirements

• App Registration in Azure for each Glean deployment (per-environment).
• Application secret or certificate/private key to authenticate the connector.
• Credentials for service principals with permissions outlined in the “Permission Requirements” section.
• Credentials and configuration are handled in the Glean Admin Console; all secrets are stored securely.

​

Permission Requirements

• Files.ReadWrite.All: Enables content indexing and management of webhook subscriptions for OneDrive updates.
• User.Read.All: Allows Glean to enumerate tenant users and align OneDrive/SharePoint identities with Glean profiles for permission mapping.
• Sites.FullControl.All (for advanced features or granular security management; required to pick up permissions changes, see the Microsoft Graph API documentation).
• Other permissions: GroupMember.Read.All, Member.Read.Hidden (if group/hidden membership-based access is required), Reports.Read.All (for reporting on crawl activity and scaling infrastructure).

​

Preliminary Source/System Setup

• App Registration: Register an application in Azure Active Directory.
• Permission Grant: Assign the necessary application-level permissions, and “Admin consent” must be granted by a Global Admin.
• Webhook Subscription: The system must subscribe to OneDrive webhook events to ensure timely updates for changes or deletions.
• Scoping (Optional): To limit index scope, specify allowed user groups (by Azure AD group ID) or individual users.

​

Permissions & Security

• Permission Propagation Logic: Document-level permissions from OneDrive are mapped one-to-one into Glean; search result visibility is strictly enforced by these mappings.
• Security & Compliance Notes: All authentication uses secure OAuth 2.0 flows; admin consent is required; no delegated user privileges are used.

​

Configuration and Setup Instructions