At line 1 added one line |
\\ |
At line 3 added 17 lines |
\\ |
__Microsoft Graph REST API__ based integration. ([Working with files in Microsoft Graph Link|https://learn.microsoft.com/en-us/graph/api/resources/onedrive?view=graph-rest-1.0])\\ |
CrushFTP supports both __OneDrive Personal__ (Designed for individual users to store personal files, photos, and documents.) and __OneDrive for Business__ ([Microsoft OneDrive service description Link|https://learn.microsoft.com/en-us/office365/servicedescriptions/onedrive-for-business-service-description]) account types.\\ |
\\ |
---- |
__⚠️ Proxy Configuration:__ If your server accesses the internet through a proxy, make sure to whitelist the following domains to allow authentication and Microsoft Graph API access:\\ |
• __login.microsoftonline.com__\\ |
• __graph.microsoft.com__\\ |
---- |
\\ |
Start at the __Microsoft Azure Portal__: [Link|https://azure.microsoft.com/en-us/features/azure-portal/]\\ |
__Application registration:__ Navigate to App registrations in the Azure Portal. Click on __New registration__ to create a new application.\\ |
\\ |
[SharePoint Integration/new_registration.png]\\ |
\\ |
In the Redirect URI section, for Platform configuration, select __Web__. The Redirect URL must end with __register_microsoft_graph_api/__\\ |
{{{ |
At line 3 changed one line |
__!!!Constraint:__ Microsoft Graph REST API does not support stream upload. In order to integrate with CrushFTP the files are temporary stored as local file (CrushFTP install folder/onedrive/) during the upload.\\ |
http://localhost:9090/register_microsoft_graph_api/ |
or |
https://your.crushftp.domain.com/register_microsoft_graph_api/ |
|
}}}\\ |
At line 5 changed 2 lines |
It is Microsoft Graph REST API based integration.\\ |
__Proxy__: If your server's internet connection uses proxy server. You need to whitelist domains : login.microsoftonline.com, graph.microsoft.com\\ |
__Secret key__: A new client secret must be created. Go to __Certificates & secrets__, and generate a new client secret by clicking on __New client secret__. ⚠️ Ensure you copy over the __value__ immediately!\\ |
At line 8 changed 2 lines |
You will start at the Microsoft azure portal:\\ |
[https://azure.microsoft.com/en-us/features/azure-portal/]\\ |
[SharePoint Integration/new_secret.png]\\ |
At line 11 changed one line |
__Application registration: __Go to the App registrations and click on New registration:\\ |
[SharePoint Integration/secret_value.png]\\ |
At line 13 changed one line |
[attachments|new_registration.png]\\ |
!1. OneDrive Business Type\\ |
At line 15 changed one line |
Name it. Select the Multitenant and personal Microsoft accounts type. The redirect url must ends with: register_microsoft_graph_api/. Then click on register.\\ |
About __Microsoft Graph Permission__ see more details at [Link|https://learn.microsoft.com/en-us/graph/permissions-overview?tabs=http]\\ |
At line 17 changed one line |
[attachments|register_app.png]\\ |
__Permission: Files.ReadWrite.All (Application permission):__ Read and write files in all site collections. This permission allows the application to access and manage files across your entire organization’s OneDrive and SharePoint—even without a user being signed in. It’s used for background services or automated tasks (like syncing or backups) that need to run without user interaction.\\ |
⚠️ Because this permission grants broad access to all users’ files, it requires admin consent.\\ |
At line 19 changed one line |
Under the redirect url configuration enable the __Access Token__ to be issued by the authorization endpoint:\\ |
[attachments|ms_graph_app_permission.png]\\ |
At line 21 changed one line |
[attachments|SMTP Microsoft Graph XOAUTH 2 Integration/enable_access_token.png]\\ |
__⚠️ Grant __Admin consent__ for the newly added permission.\\ |
At line 23 changed one line |
__API permission :__ You also need to provide permission for the Microsoft Graph. Go to the Api permission. Click on Add permission, select Microsoft Graph. Choose Delegated permission and add the "Files.ReadWrite.All" permission:\\ |
[SharePoint Integration/app_permission_admin_consent.png]\\ |
At line 25 changed one line |
[attachments|permission_microsoft_graph.png]\\ |
__Client Id : __ You can find it at Azure portal -> App Registration -> Overview: Application (client) ID)\\ |
\\ |
[attachments|client_id.png]\\ |
\\ |
__OneDrive Business Type remote connection settings:__\\ |
\\ |
__Username:__ It must start with __app_permission__, followed by the __Client ID__:Azure portal -> App Registration -> Overview: Application (client) ID), separated by a tilde (~). |
{{{ |
app_permission~<<Client ID>> |
}}}\\ |
__Password:__ Client Secret. (See at App Registration -> Manage -> Certificates & secrets)\\ |
__Tennant:__ Tenant Id. (See at App Registration -> Overview -> Directory (tenant) ID)\\ |
__User id or User principal name:__ Provide the user's ID or the user principal name (UPN).\\ |
\\ |
[attachments|remote_item_app_permission.png]\\ |
\\ |
!2. Ondrive Personal Type\\ |
\\ |
__⚠️ Constraint:__ The __Microsoft Graph REST API__ does not support direct __stream uploads__. To integrate with CrushFTP, files are temporarily saved as local files in the __onedrive/__ folder within the CrushFTP installation directory during the upload process.\\ |
\\ |
__Permission: Files.ReadWrite.All (Delegated)__ : Have full access to all files user can access. This permission allows the application to view, edit, upload, and delete any files that you (the signed-in user) have access to in OneDrive or SharePoint.\\ |
The application acts on your behalf, using your permissions—so it can only access the files you can normally access. ⚠️ It does not give the app access to files you don’t have access to.\\ |
\\ |
[attachments|ms_graph_delegated.png]\\ |
\\ |
At line 32 changed one line |
__Secret key :__ A new client secret needs to be created as well. Go to the "Certificate & secrets" and generate a new secret key. Click on New client secret:\\ |
__OneDrive Personal Type remote connection settings:__\\ |
At line 34 changed 2 lines |
[attachments|new_secret.png]\\ |
[attachments|secret_value.png]\\ |
__⚠️ Important__: To obtain the __Refresh Token__, the CrushFTP WebInterface’s host and port must match the __Redirect URL__ specified in the __Azure App Registration__. In our example, it was: http://localhost:9090 or https://your.crushftp.domain.com/\\ |
At line 37 changed one line |
__OneDrive remote item settings:__\\ |
Select the __OneDrive__ item type and click the __Get Refresh Token__ button. Provide the __Client ID__(See at App Registration -> Overview -> Application (client) ID), __Client Secret__(See at App Registration -> Manage -> Certificates & secrets), and __Tenant__: __consumers__ or __common__.\\ |
At line 39 removed 4 lines |
__!!! CrushFTP admin page url must match with the redirect url.__ In our example: http://localhost:9090\\ |
\\ |
Select OneDrive item type click on "Get Refresh Token" button. Provide the Client ID and Client Secret, and Tenant (in almost all case it is just: common): \\ |
\\ |
At line 45 changed one line |
Click on "OK" button, log in with your azure credentials, allow CrushFTP to have access to your OneDrive files. After that the form will disappear and the username and password will be filled. Done.\\ |
Click the __OK__ button, sign in with your Azure credentials, and grant CrushFTP access to your __OneDrive__ files.\\ |
__⚠️ Important__: Be sure to sign in with the __Microsoft Account__ that has the __necessary permissions__, as configured in the Azure App Registration mentioned above. |
After authorization, the form will close, and the username and password fields will be automatically filled. You’re done!\\ |