Connect Multi FileFeeds to Microsoft 365 (SharePoint / OneDrive)

Availability: Multi FileFeeds with the WorkflowsAzureSharepointSource and/or WorkflowsAzureSharepointDestination features enabled.

This guide walks through four things:

The one-time tenant setup that a Microsoft 365 admin in your organization runs once: granting admin consent for the OneSchema FileFeeds Connection app and allowlisting the specific SharePoint sites OneSchema may read from or write to.
Connecting your Microsoft 365 account in OneSchema (an OAuth click-through that produces a per-user delegated token).
Using that connection as a source on a Multi FileFeed, so OneSchema polls a SharePoint folder or OneDrive folder on a schedule and ingests new files.
Using that connection as a destination on a Multi FileFeed, so OneSchema writes processed output files into a drive folder.

A single Microsoft 365 connection can back both directions — you do not need separate connections for source and destination usage.

Terminology

Term	Direction	Meaning
Microsoft 365 source	Your drive folder → OneSchema	A polling configuration on a Multi FileFeed. OneSchema lists and ingests matching files on a schedule.
Microsoft 365 destination	OneSchema → your drive folder	A write configuration on a Multi FileFeed. OneSchema writes each output file into your drive's chosen folder.
Microsoft 365 connection	Shared connection object	A saved OneSchema connection holding a per-user delegated OAuth token for one of your Microsoft 365 users.
OneSchema FileFeeds Connection app	Multi-tenant Entra ID application registered by OneSchema	The third-party app your tenant consents to. OneSchema does not register a separate app per customer; every customer connects to the same multi-tenant Entra app.
Sites.Selected	Microsoft Graph permission scope	A narrow permission model: the app has no access to any site by default. A tenant admin explicitly allowlists each site OneSchema may use.
SharePoint site / OneDrive drive	Microsoft 365 surface	Two flavors of file storage. SharePoint sites are shared team libraries; OneDrive for Business is the per-user equivalent. OneSchema's picker supports both.

How it works

OneSchema's Microsoft 365 integration uses delegated OAuth with the Sites.Selected scope. In plain language, that means two things:

Per-user token. When a user in your organization clicks Connect in OneSchema, they sign in to Microsoft and grant the OneSchema FileFeeds Connection app a refresh token. OneSchema stores that token and uses it to call Microsoft Graph on the user's behalf. The user can revoke the token at any time by disconnecting in OneSchema or removing the app from their Microsoft account.
Admin allowlist per site. Sites.Selected means the app has no SharePoint access by default — not even sites the user can otherwise read. A tenant admin must explicitly grant the app read (and optionally write) access on each SharePoint site OneSchema should see. This is run-once-per-site, not run-once-per-user.

sequenceDiagram
    participant Admin as Tenant admin (one-time)
    participant Graph as Microsoft Graph
    participant Site as SharePoint site
    participant User as End user
    participant OS as OneSchema

    Note over Admin,Site: One-time per tenant
    Admin->>Graph: Admin consent for OneSchema FileFeeds Connection app<br/>(scopes: Sites.Selected, offline_access)
    Admin->>Graph: POST /sites/{site-id}/permissions<br/>(grant app read [+write])
    Graph->>Site: App is now allowlisted on this site

    Note over User,OS: Per user
    User->>OS: Click "Connect" → redirected to Microsoft
    User->>Graph: Sign in + accept consent prompt
    Graph-->>OS: Authorization code → access + refresh tokens
    OS->>OS: Store delegated token<br/>(per-user credential)

    Note over OS,Site: Per MFF run
    OS->>Graph: GET /sites/{id}/drives, /items, downloadable content<br/>(bearer = user's token)
    Graph-->>OS: Folder listing / file bytes
    OS->>OS: Ingest into MFF import

A few things follow from this design:

No long-lived secrets on either side. OneSchema never sees your tenant's app secrets; you never copy a service-principal credential to OneSchema. The app's client ID and secret live with OneSchema centrally; tokens are issued per user via OAuth and rotated automatically via refresh tokens.
Per-site auditability. Because Sites.Selected requires an explicit per-site grant, your security team can answer "which SharePoint sites can OneSchema read?" by listing the app's site grants in Microsoft Graph — there's nothing implicit.
One Entra app for all customers. OneSchema FileFeeds Connection is a multi-tenant Entra app registered in OneSchema's tenant. Customers consent to it; they don't register their own. This is the standard Microsoft 365 SaaS integration pattern.

Prerequisites

You will need:

Requirement	Notes
Admin role in OneSchema	Required to create or edit connections.
Microsoft 365 connection feature enabled	If you do not see SharePoint/OneDrive options on the Multi FileFeed source or destination picker, contact your OneSchema representative.
A Microsoft 365 tenant	The Entra ID tenant that owns the SharePoint sites or OneDrive for Business accounts you want OneSchema to use. (OneDrive Personal — the consumer product — is not supported.)
An Entra ID admin in your tenant	Specifically: Global Administrator, Cloud Application Administrator, or Application Administrator. Required for the one-time consent and per-site permission grants. Not the same as an Azure subscription admin.
The SharePoint site ID for each site OneSchema should access	Microsoft Graph–style site ID. The admin runbook below explains how to look it up.
The OneSchema FileFeeds Connection app's client ID	A public identifier. OneSchema embeds it directly in the picker, in the inline admin-runbook snippet, when you create a SharePoint target — your admin can copy it from there.

Step 1 — One-time tenant setup (Microsoft 365 admin)

This step is run once per tenant, by an Entra ID admin. After it's done, any user in your organization can connect their account in OneSchema without re-running it.

Step 1a — Grant admin consent for the OneSchema app

In the Azure Portal:

Entra ID → Enterprise applications
  → search "OneSchema FileFeeds Connection"
  → Permissions
  → Grant admin consent for <your tenant>

If the app doesn't appear in Enterprise applications, have a user in your tenant click Connect in OneSchema once — that triggers Microsoft to provision the service-principal entry. Cancel out of the consent screen if needed; you only need the entry to appear. Then re-run the consent step as the admin.

The scopes being consented:

Scope	What it grants
`Sites.Selected`	The app can act on specifically allowlisted sites only — no broad SharePoint access.
`offline_access`	OneSchema can refresh expired access tokens without forcing the user to re-authenticate hourly.

Sites.Selected alone gives OneSchema access to zero sites. That's intentional; step 1b is what actually grants per-site access.

Step 1b — Allowlist each site OneSchema should access

For each SharePoint site you want OneSchema to read from or write to, the tenant admin runs two Microsoft Graph calls.

The OneSchema picker also embeds these calls inline (with your tenant and OneSchema's app client ID pre-filled) — click Need to allowlist a site for OneSchema? (admin-only setup) in the SharePoint target form to copy them straight from the UI. Below is the same flow in long form.

Find the site ID:

GET https://graph.microsoft.com/v1.0/sites/{tenant}.sharepoint.com:/sites/{site-path}

Substitute {tenant} with your tenant's SharePoint prefix (e.g. oneschemainc in oneschemainc.sharepoint.com) and {site-path} with the site's URL slug (e.g. engineering in /sites/engineering). The response includes an id field — that's the site ID OneSchema needs.

Grant the app access:

POST https://graph.microsoft.com/v1.0/sites/{SITE_ID}/permissions
Content-Type: application/json

{
  "roles": ["read"],
  "grantedToIdentitiesV2": [
    {
      "application": {
        "id": "<ONESCHEMA_APP_CLIENT_ID>",
        "displayName": "OneSchema FileFeeds Connection"
      }
    }
  ]
}

Replace <ONESCHEMA_APP_CLIENT_ID> with the client ID shown in the OneSchema picker. For a destination — where OneSchema writes back to the site — use "roles": ["read", "write"] instead.

You can run both calls from Microsoft's Graph Explorer, from PowerShell with the Microsoft.Graph module, or from any tool that handles Entra ID auth. The admin running them needs an Entra role with permission to manage site permissions (Global Administrator covers it; SharePoint Administrator alone does not — site-permission grants require Microsoft Graph permissions that aren't automatic for SharePoint Admins).

Repeat per site. OneDrive for Business drives don't require this step — they're per-user, and a user's delegated token already covers their own OneDrive without site-level allowlisting.

Step 2 — Connect a Microsoft 365 account in OneSchema

This step is run per user, by anyone in your organization who will configure a SharePoint source or destination.

In OneSchema, edit a Multi FileFeed and open the Source (or Destination) section. Choose Microsoft 365 (SharePoint / OneDrive) as the type. If no account is connected yet, you'll see a Connect Microsoft 365 button.

Click it. You'll be redirected to Microsoft's login page. Sign in with the account you want OneSchema to use, accept the consent prompt, and you'll land back in OneSchema with the picker now showing your drive contents.

A few notes on which account to use:

The account's permissions matter. OneSchema can only see sites the user can see (filtered by the admin allowlist from step 1b). If you connect with a user who lacks access to the "Finance" site, the picker won't show it — even if the app is allowlisted on that site.
The connected user owns the access. If that user leaves the organization, the connection breaks until someone else connects with another account. For long-lived workflows, consider connecting with a service account or a shared mailbox that won't depend on one employee.
Re-using one connection across users. A connection is currently per-user. Multiple users in your organization can each connect their own account; each MFF then points at one of those connections.

Step 3 — Use SharePoint / OneDrive as a source on a Multi FileFeed

A Microsoft 365 source tells OneSchema to poll a SharePoint folder or OneDrive folder on a schedule, find new files matching a filter, and ingest them into Multi FileFeed imports.

In the source form, fill in:

Field	Required	Notes
Drive type	✓	SharePoint site (shared team site) or OneDrive (your personal OneDrive for Business). Different pickers appear depending on the choice.
SharePoint site URL	for SharePoint	Paste the full URL of the site, e.g. `https://your-tenant.sharepoint.com/sites/your-site`, and click Look up site. OneSchema resolves the URL against Microsoft Graph and confirms which site you selected. See Why you paste a URL instead of searching below.
Drive	✓	The document library inside the site (or, for OneDrive, your own drive). Most SharePoint sites have a single "Documents" library; some have several.
Folder	✓	The folder OneSchema should poll. Use the breadcrumb navigator to drill in; the resolved folder's item ID is what gets saved.
File filter	optional	Case-insensitive POSIX regular expression applied to file names within the folder. Leave blank to ingest every file. Example: `.\.xlsx$` matches all Excel files; `^orders_.\.csv$` matches CSVs starting with `orders_`.
Pull frequency	for auto-polling	Either Daily (pick an hour and minute in UTC) or Hourly (pick a minute in UTC). Leave unset to require manual pulls only.

Why you paste a URL instead of searching

OneSchema's app uses the narrow Sites.Selected permission scope (see How it works). Microsoft Graph's /sites?search=… endpoint can't enumerate sites under that scope — it requires the broader Sites.Read.All permission, which would defeat the per-site allowlist model. Paste-by-URL hits /sites/{host}:{path} directly, which does work under Sites.Selected once the admin has allowlisted the specific site.

Deep links work fine: if you paste a document URL like https://your-tenant.sharepoint.com/sites/your-site/Shared Documents/file.xlsx, OneSchema strips everything after the site slug and resolves the parent site.

Behavior to know about

Polling order. OneSchema lists items by Microsoft Graph's default order — generally most-recently-modified first within each folder. Don't rely on a specific ordering for downstream logic.
Deduplication is exact. OneSchema tracks every file it has ingested by (drive_id, item_id, ctag) — the ctag (content tag) changes whenever the file's content is edited. Re-saving a file in SharePoint creates a new ctag, which OneSchema treats as a new ingestion.
Maximum file size: 1 GiB. Files larger than this are skipped, and the source surfaces a failure status on its next run until the offending file is removed or its size brought under the limit.
Folder navigation does not recurse. OneSchema polls only the specific folder you selected, not subfolders. If your producer drops files into nested subfolders, configure a separate source per subfolder or flatten the layout upstream.
Manual pulls. A source with no Pull frequency set is only ever polled when you click Pull from sources in the Multi FileFeed canvas.

Step 4 — Use SharePoint / OneDrive as a destination on a Multi FileFeed

A Microsoft 365 destination tells OneSchema to write the processed output files of a Multi FileFeed run into a drive folder. There is no polling and no filter — the destination simply receives whatever the run produces.

The destination picker has the same shape as the source picker (Drive type → Site → Drive → Folder), but with two differences:

No File filter. Filenames are determined by the Multi FileFeed run (see Default vs. custom output filenames in the Destinations overview).
No Pull frequency. Destinations run after each successful import, on the import's schedule rather than their own.

Behavior to know about

Allowlist permission needed: write. When the tenant admin allowlisted the site in step 1b, make sure they used "roles": ["read", "write"] rather than just "read". Read-only allowlists work for sources but block destinations.
Existing files in the destination folder. If an output file's name collides with an existing item in the folder, OneSchema replaces the existing item using Microsoft Graph's conflictBehavior: replace. Microsoft 365 typically retains the prior version under the site's Version history; OneSchema does not enforce this — it depends on the site's versioning policy.
Filename safety. OneSchema strips newlines and tabs from output filenames before writing; characters that SharePoint rejects (e.g. <, >, :, ", /, \, |, ?, *) come from your filename pattern and should be sanitized there.
Large files use upload sessions. Files larger than 4 MiB are uploaded in chunks via Microsoft Graph's upload-session API, with automatic retry on rate-limit (429) responses. You don't configure anything for this; it just works.

Troubleshooting

Symptom	Likely cause	What to check
Sign-in works but the consent screen says "Need admin approval"	Your tenant requires admin consent for unverified third-party apps, and step 1a hasn't been completed.	Have an Entra ID admin grant admin consent for the OneSchema FileFeeds Connection app once. Then retry.
Look up site returns "OneSchema does not have access to this SharePoint site. Ask your admin…"	Step 1a is done but step 1b (per-site allowlist) hasn't been done for this specific site.	Have an admin run the `POST /sites/{id}/permissions` call for the site, with the OneSchema FileFeeds Connection app's client ID. The picker's inline admin-runbook panel has the exact snippet.
Look up site returns "Invalid SharePoint URL" or "SharePoint URL must…"	The URL you pasted isn't recognized as a SharePoint site URL.	Verify the URL is `https://{tenant}.sharepoint.com/sites/{name}` or `…/teams/{name}`. Non-https URLs, non-`sharepoint.com` hosts, and URLs without a `/sites/` or `/teams/` path segment are rejected client-side before any Graph call is attempted.
Look up site returns "SharePoint URL contains invalid percent-encoding…"	The pasted URL has a malformed `%XX` sequence (e.g. `%ZZ`).	Re-copy the URL straight from the SharePoint address bar — browsers always produce valid encoding. If you typed it by hand and used `%`, make sure every `%` is followed by two hex digits.
Drive picker is empty after selecting a site	The site has no document libraries with files, or the per-site allowlist used `roles` other than `read` / `write` (e.g. `owner`, which Graph rejects).	Verify the site has a Documents library. Re-run step 1b with `"roles": ["read"]` (or `["read", "write"]` for destinations).
Source pulls succeed for one file but the next file fails with Permission denied	Per-file permission overrides on SharePoint can revoke the app's read access on a specific item even when the site is allowlisted.	Confirm the file's effective permissions in SharePoint — look for explicit "Stop sharing" entries on the item.
Destination upload fails with Permission denied while source listing succeeds	The site is allowlisted with `read` but not `write`.	Have an admin re-run `POST /sites/{id}/permissions` with `"roles": ["read", "write"]` for the same site, or use Microsoft Graph's `PATCH /sites/{id}/permissions/{permId}` to update the existing grant.
Connection works for hours then suddenly fails with Authorization is missing or expired	The user disconnected the app from their Microsoft account, their account was disabled, or the refresh token has been invalidated by conditional access.	The connected user re-runs Connect Microsoft 365 in OneSchema. A new refresh token is issued.
Files dropped into a subfolder of the configured source folder are never ingested	Source folders are non-recursive.	Either configure an additional source pointing at the subfolder, or have the upstream producer drop files into the configured folder directly.
File never ingested even though it's in the configured folder	File name doesn't match the File filter regex, file size exceeds 1 GiB, or the file is in a `ctag` OneSchema has already ingested under the same id.	Test the regex independently. Confirm size. Re-saving the file in SharePoint generates a new `ctag`, which causes a fresh ingestion.

Limits and behavior

Constraint	Value
Auth	Delegated OAuth (per-user). Refresh tokens rotate automatically. No long-lived service-principal secrets stored at the customer side.
App scopes	`Sites.Selected` + `offline_access`. The narrow `Sites.Selected` requires per-site allowlist grants.
Tenant-side prerequisites	One-time admin consent for the multi-tenant OneSchema FileFeeds Connection app. Per-site `POST /sites/{id}/permissions` grant for each site.
Maximum source file size	1 GiB per item.
Source polling cadence	Daily (hour + minute UTC), hourly (minute UTC), or manual-only.
Source file matching	Case-insensitive POSIX regex applied to file names within the configured folder.
Source folder recursion	Non-recursive. Only the configured folder is polled.
Source deduplication	By `(drive_id, item_id, ctag)`. Editing a file in SharePoint creates a new `ctag` and triggers re-ingestion.
Destination output path	`{drive}:/{folder}/{file_name}` — folder is the picker selection; file name is from the MFF run.
Destination overwrite behavior	Replace via `conflictBehavior: replace`. Prior versions are retained per the site's Version history policy.
Destination upload mechanism	≤4 MiB: single PUT to `/content`. >4 MiB: Graph upload session, chunked, with automatic 429 retry.
Supported surfaces	SharePoint Online team-site document libraries; OneDrive for Business per-user drives. Not supported: OneDrive Personal (consumer accounts).