OneDrive & Office 365 Integration (Automated Account Linking)

Posted on 26th September 2017

Introduction

Foldr provides integration with Office 365 to allow OneDrive for Business and SharePoint Online sites to be presented in the Foldr interface.  Foldr can also provide access to the document storage locations that are available to users through Office 365 Teams.

Active Directory accounts may be automatically linked to Office 365 accounts and the corresponding OneDrive &/or SharePoint sites can be presented in the Foldr interface.  Users can alternatively link a Microsoft Office 365 accounts manually.  Manual linking will present a pop-up dialog requesting the user’s Microsoft account credentials the first time they try to access OneDrive, SharePoint Online or a Teams share in Foldr.

Once an Office 365 account is linked in Foldr, a user can edit any on-premise or cloud hosted Office files in Office Online (web-based versions of Word, Excel & PowerPoint).  Collaborative editing is also possible through Office Online with SharePoint Online.

Manual or Automatic Account Linking?

The administrator should decide which method of account linking is to be used in the deployment as there are benefits to both methods.  Automated account linking uses a service account to provide immediate access to user’s OneDrive and SharePoint sites with no additional effort from the user. However, the connection always uses service account credentials, rather than those of the individual user. Only the manual account linking method can respect the granular Office 365 user’s permissions for sites and nested sub-folders in SharePoint.

Essentially, if only OneDrive is being presented to users through Foldr, then automated linking would provide a smoother user experience and remove the need to enter the Office 365 credentials the first time it was accessed.  If you intend you present SharePoint sites, then it would be recommended to use manual linking, unless the security permissions in place in Office 365 are flat across the organisation, with no granular access permissions.

Regardless of the account linking method used, the administrator can still control visibility of all storage locations (OneDrive, SharePoint libraries, Teams) using permissions in Foldr Settings >> Shares, specifying read/write access by user or group.

Integration Steps – Automatic Account Linking

Creating the App Registration in Azure

1. Log into the Microsoft Azure Portal at https://portal.azure.com using your administrative Microsoft account.
2. Select Azure Active Directory from the left hand panel.


3. Click Application Registrations >> New Application


4.  Give the application a suitable name, leave application type as web app / API and finally enter the public URL of the Foldr installation.

5.  Click Create.  You should receive a success / confirmation message within a few seconds.

Now find your new application in the App Registrations Panel and select it.
6.  Select Required Permissions in the Settings panel.

7.  Select + Add in the Required Permissions panel.


8.Click ‘Select an API

9. From within the Select an API screen, click Microsoft Graph and click the Select button.

10. Within the Graph API, enable the Application Permission ‘Read and write files in all site collections‘.  This is adequate to access OneDrive & SharePoint through Foldr.

Optional permissions required for Teams

If you also wish to present Microsoft Teams storage to users you should also enable the permissions at this stage:

Read directory data
Read all groups

The ‘Require Permissions’ panel will now show the updated delegated permissions.

11.  Click the button labelled ‘Grant Permissions

12.  Click ‘Yes‘ to the following dialog to grant permissions to all accounts in the directory.

13. On the App Registration main screen, make a note of the Application ID, this will be used later when creating the Microsoft service account in Foldr Settings.

14. The Application Key must now be created.  To do this click on the Keys item in the Settings panel.

15. In the Keys panel, enter a description, select an expiration and finally click Save at the top of the panel.

The application key is now displayed and must be noted (saved elsewhere) as it will not be accessible again.  The key will be required later when creating the Microsoft service account in Foldr Settings.  You are able to create additional replacements keys later, if required.

Creating the Microsoft Service Account

The Microsoft service account must now be created within General >> Service Accounts

The Application ID for the Foldr app registration shown in the Azure portal should be copied into the Client ID field.

The API Key shown in the Azure portal should be copied into Foldr Settings >> General >> Service Accounts >> Application Key.

The Tenant ID is mandatory should be obtained within the Azure portal, by clicking on the main Properties menu item for Azure Active Directory and copying the Directory ID.



Creating the Microsoft Office 365 service account

You must finally select the Active Directory User Attribute to match against the corresponding Office 365 account.  Typically, either the user’s UPN or email address will match the Office 365 email address used to identify their account.  If neither of these attributes match, you can select the ‘custom’ ption to build your own matching rule, such as %username%@office-365-domain.com

Click SAVE

Enable the OneDrive intergration & Change Background Account Access

Navigate to Foldr Settings >> Services >> OneDrive / Office 365

Enable OneDrive integration and select the service account.  Please note, as we are not using manual linking, you do NOT need to complete the Application ID or Key fields here

Enable OneDrive integration and select the Microsoft service account.

Please note, as we are not using manual linking, you do NOT need to complete the Application ID or Key fields here:
 

Adding the Global Share for OneDrive

A new Share should now be created for OneDrive under Foldr Settings >> Shares using the share path %onedrive% to present the users OneDrive storage  within the Foldr interface.  Give the share a suitable name, icon and any other options that are required.

Select the Microsoft service account on the OneDrive share configuration screen.

Do NOT enable the setting ‘Use service account for all access – Note – this has been moved to the ‘Advanced’ tab.’

Finally, Click SAVE.

The integration steps for automatic account linking and presenting OneDrive to users is now complete.  When a user signs into Foldr, their corresponding OneDrive storage should be presented to the user automatically.

Presenting SharePoint sites to Users

A new share should be created for each SharePoint site under Foldr Settings >> Shares using the Share URI:

%sharepoint%(tenant.sharepoint.com/site-name). Note if /sites/ is not in the SharePoint URL when viewed through O365 directly, it can be removed from the Share URI

The administrator can present the root SharePoint site for an organisation using the Share URI %sharepoint%

Select the Microsoft service account on the SharePoint share configuration screen.

Do NOT enable the setting ‘Use service account for all access – Note – this has been moved to the ‘Advanced’ tab.’

Finally, Click SAVE.

Presenting Teams storage to Users

A new share should be created for Teams under Foldr Settings >> Shares using the Share URI %teams% – note the additional Application permissions for Teams are required (Read directory data and read all groups).  All Teams storage will be displayed within this one storage location in Foldr.

Select the Microsoft service account on the SharePoint share configuration screen.

Do NOT enable the setting ‘Use service account for all access – Note – this has been moved to the ‘Advanced’ tab.’

 

Troubleshooting  – HTTPS / SSL inspection

Please ensure the following domains are excluded from HTTPS / SSL man-in-the-middle inspection on your firewall / web filter, as this will cause issues between the Foldr and OneDrive / SharePoint Online:

graph.microsoft.com
api.office.com
login.microsoftonline.com
{tenant}-my.sharepoint.com

i.e. company-my.sharepoint.com

 

Need more help?

Get in touch with our friendly help desk who will be happy to assist you, support@foldr.io