Foldr provides integration with Office 365 to allow OneDrive for Business and SharePoint Online sites to be presented in the Foldr interface. Foldr can also provide access to the document storage locations that are available to users through Office 365 Teams.
Active Directory accounts may be automatically linked to Office 365 accounts and the corresponding OneDrive &/or SharePoint sites can be presented in the Foldr interface. Users can alternatively link a Microsoft Office 365 accounts manually. Manual linking will present a pop-up dialog requesting the user’s Microsoft account credentials the first time they try to access OneDrive, SharePoint Online or a Teams share in Foldr.
Once an Office 365 account is linked in Foldr, a user can edit any on-premise or cloud hosted Office files in Office Online (browser-based app versions of Word, Excel & PowerPoint). Collaborative editing is also possible through Office Online with 365 hosted documents.
Automatic Account Linking vs Manual Account Linking? (Service Accounts vs No Service Accounts)
The administrator should firstly decide which of the two Office 365 integration / account linking methods is to be used in the Foldr deployment, as there are pros and cons to to both. These two integration methods are referred to as ‘automatic’ or ‘manual’ (Office 365) account linking. The former uses service accounts to impersonate users and provision access to Office 365 locations, and the latter does not use a service account and uses authentication tokens that are specific for that user.
Automated account linking also uses service accounts set on each Office 365 location (OneDrive, SharePoint etc) in the administrative Foldr Settings > Files & Storage backend interface to provide immediate access to OneDrive, Teams or SharePoint sites with no additional effort from the user. As soon as the user signs in, the configured Office 365 locations are accessible.
Due to limitations in the Microsoft Azure Graph API, it is not currently possible to fully ‘impersonate’ a users permissions using service accounts / automatic account linking. As such, when using automatic linking/service accounts, Foldr uses backend service account to access the cloud storage location, rather than the credentials/permissions relevant to the signed in user. Essentially, if only OneDrive is being presented to users through Foldr, then automatic account linking (and using a service account in Foldr Settings > File & Storage > OneDrive > Access tab to access it) works well and would provide a quick/easy user experience, removing the need to enter the Office 365 credentials the first time OneDrive is accessed via Foldr.
However, if you intend you present SharePoint sites (or Teams), then it is generally recommended to not use auto linking/service accounts and instead use manual linking (no service accounts) as described in this article.
Manual account linking allows Foldr to respect the signed in users Office 365 permissions. Automatic account linking using service accounts does not.
When using Manual account linking in Foldr for Office 365, organistations can also benefit from being able to use the Teams storage adapter (%teams% or %teamsedu%) to present a single location in Foldr and only the relevent Teams channels that a user has access to are automatically presented to the user. Should the Foldr administrator use the Teams storage adapter with AUTOMATIC linking (using service accounts) ALL TEAMS would be presented to ALL USERS. This is generally not desirable for most organisations.
Regardless of the account linking method used, the administrator reatins the ability to control visibility of the top-level storage locations (OneDrive, SharePoint sites/libraries) using permissions in Foldr Settings > Files & Storage, specifying read/write and allow/deny access by user or group.
Linking the Office 365 account
When using manual account linking and Foldr, the first time a user accesses any Office 365 location via the Foldr web app, they will be prompted to ‘link’ their account by signing into the familiar Office 365 Microsoft Online web interface in a new tab. Once the account is linked, Office 365 storage is accessible and providing the user continues to periodically access 365 locations via Foldr, they will not need to link their account again. The Office 365 authentication tokens that Foldr uses/stores on the server expire after 90 days of inactivity. Should a user not use Foldr for accessing Office 365 locations, they can easily unlink and relink their account via the web, mobile or desktop apps.
Once an Office 365 account has been linked in Foldr via one app, it is automatically linked in all other Foldr apps.
Windows app – Account linking user experience
Integration Steps – Manual Account Linking
Creating the App Registration in Azure
1. Log into the Microsoft Azure Portal at https://portal.azure.com using your administrative Microsoft account.
2. Select Azure Active Directory from the left-hand panel.
3. Click App Registrations.
4. Click New registration.
5. Give the application a suitable name, and click REGISTER. In most cases the supported account type can be left as default (top radio button)
6. The app summary / configuration screen will be show. Click Authentication.
7. Click + Add a platform and select Web.
Add a Redirect URI (Reply URL) using the format:
https://address-of-foldr/services/microsoft/connect
The Redirect URI / Reply URL must be the public address of the Foldr installation appended with /services/microsoft/connect as shown in the example below
8. Click CONFIGURE.
9. Click Certificates & secrets > New client secret.
10. Enter a description, select a suitable expiration lifetime, and finally click ADD.
11. The new client secret will be displayed.
IMPORTANT – You should take a copy of the key at this point as you cannot retrieve it again later, however new keys can be generated later, if required.
12. Click API Permissions > Add a permission
13. Select Microsoft Graph
14. Click Delegated Permissions.
15. Select the following permissions from the Directory and Files sections:
Directory.Read.All
Files.ReadWrite
Files.ReadWrite.All
Optional 1 – To allow Foldr (web and mobile apps) to create Teams channels by way of folder creation inside the root of a Team add the following permission:
Channel.Create
Optional 2 – In addition to the above permission, if users need to create channels using the Foldr desktop apps (Windows / macOS) the additional permission is required as the ability to rename channels is needed:
ChannelSettings.ReadWrite.All
16. Click Add Permissions at the bottom of the screen.
17. The permissions will be shown in the summary below displaying the selected new delegated permissions.
18. Click the GRANT ADMIN CONSENT button.
19. Click Yes on the confirmation prompt.
20. A success message will then be shown
21. Click on Overview and take a copy of the Application (client) ID and Directory (tenant) ID. These will be required later when enabling the integration on the Foldr appliance.
Enabling the Office 365 integration in Foldr
The Office 365 integration should now be enabled and the Application ID, Client secret and Directory ID, should be copied into the relevant the fields within:
Foldr Settings >> Integrations >> Microsoft Azure >> Client ID | Application Key | Tenant ID
Client ID = Application (client) ID in Azure
Application Key = Client secret in Azure
Tenant ID = Directory (tenant) ID in Azure
Example settings shown below for Office 365 Manual Account linking.
Finally, Click SAVE CHANGES.
Adding the Share for OneDrive
A new share should be created for OneDrive under Foldr Settings >> Files & Storage using the Share URI %onedrive%
Presenting SharePoint sites to Users
A new share should be created for each SharePoint site under Foldr Settings >> Files & Storage using the Share URI:
%sharepoint%(tenant.sharepoint.com/sites/site-name)
Note if /sites/ is not in the SharePoint URL when viewed through O365 directly, it can be removed from the Share URI
To present the organisation’s root/default SharePoint site, using the Share URI %sharepoint%
Presenting Teams storage to Users
A new share can be created for Teams under Foldr Settings >> Files & Storage using the Share URI %teams% or %teamsedu%
Note – %teamsedu% enables support for the ‘Class Materials’ document library/folder that Office 365 education customers receive automatically in each Office 365 Teams Channel.
This storage adapter should only be used with the manual account linking integration on this page – it is not recommended for use wit the automatic account linking Office 365 integration.
Presenting Shared Office 365 items to Users
Foldr is able to present items that have been shared with them using the native sharing tools in Office 365. Shared items can be displayed in a dedicated share/storage item within My Files or alternatively a ‘Shared with Me’ directory can be displayed inside a user’s OneDrive and all shared items will be availabe inside.
To create a dedicated share for Office 365 shared items, create a new share within Foldr Settings > Shares & Storage and set the Share URI to %onedriveshared%
To present a users OneDrive with a ‘Shared with Me’ folder in the root of OneDrive, create a share and set the Share URI to %onedrivewithshared%
User Experience – Linking the Office 365 account (Web app)
OneDrive, SharePoint & Teams storage icons will be visible to users immediately in the web app before they link their account. Once they click one of the Office 365 storage locations, they will be prompted to link their account and enter their Office 365 credentials.
i.e. The user clicks the OneDrive item and is prompted as below to authenticate with Office 365 in a new tab.
The account is then linked, and OneDrive storage should be browsable in any of the Foldr apps and all Office documents can be edited in Office Online.
Alternatively, a user can link and unlink their Microsoft accounts when logged into the Foldr web app using the menu item ‘Me’ > Services. This is available top right menu of the interface or the left-hand panel.
Click Services > OneDrive/Office 365
Click ‘LINK ACCOUNT’ and you will be prompted to sign in at Microsoft Online.
The account is then linked, and OneDrive storage should be available in any of the Foldr apps and Office documents can be edited in Office Online from on-premise shares or OneDrive / SharePoint. Users can unlink their Microsoft Account at any time from the Services menu shown above.
The integration for Office 365 is now complete.
Document Editing in Office Online
Now that the Office 365 integration has been configured, users are able to utilize the web-based Office apps to edit either on-premise or cloud-based documents from the Foldr web app.
Example – Edit a word document held on on-premise / local SMB share in Office (Word) Online.
The user selects the document in the Foldr web app, clicks Edit with Office Online. A new browser tab will open and the document will open within the relevant web-based Office 365 web app ready for editing
Web based version of Word (Word Online)
If the source document resides on OneDrive, the user is working natively/directly as if they were signed into Office 365 natively. Any changes are saved automatically when the browser tab is closed and other features in 365 such as collaborative editing will function as normal.
If the original document was hosted elsewhere, such as an on-premise SMB share, the user will be prompted to either or discard or save changes when the Office Online tab is closed. When the user clicks Yes in this prompt the file is downloaded back from Office 365 and saved into its original location, overwriting this original file.
