Add OneDrive / SharePoint Account
Connect a Microsoft OneDrive for Business or SharePoint location to PlaidCloud Document. You register an Entra (Azure AD) application, choose how much of your tenant it can reach, and PlaidCloud uses it to read and write files.
Choose an Access Model
Section titled “Choose an Access Model”Decide how much of your Microsoft 365 tenant the application can reach. This is the most important choice in the whole setup.
| Model | Graph application permission | What the app can reach | Choose when |
|---|---|---|---|
| Selected sites (recommended) | Sites.Selected |
Only the specific sites you explicitly grant | Any site holds sensitive data — payroll, HR, finance, PHI |
| All sites | Sites.Read.All (read) or Sites.ReadWrite.All (read + write) |
Every site in the tenant | No site is sensitive and you want the simplest setup |
Most organizations should choose Selected. If even one site holds sensitive information, tenant-wide access exposes it. With Sites.Selected the application can reach nothing until an administrator grants it to each named site, so sites you never grant stay completely out of reach.
Register the Application in Azure
Section titled “Register the Application in Azure”- Sign in to the Azure portal and go to Microsoft Entra ID → App registrations → + New registration.
- Enter a name (for example
PlaidCloud). - Under Supported account types, choose Accounts in this organizational directory only (single tenant — most common).
- Leave the Redirect URI blank and click Register.
- On the overview page, copy the Application (client) ID (your Client ID) and the Directory (tenant) ID (your Tenant ID).
- Go to Certificates & secrets → + New client secret, set a description and expiry, Add, and copy the secret Value immediately — it is not shown again.
Grant the API Permission
Section titled “Grant the API Permission”Add exactly one Microsoft Graph Application permission, matching the access model you chose:
- Selected sites:
Sites.Selected - All sites:
Sites.Read.All(read-only) orSites.ReadWrite.All(read + write)
Steps: API permissions → + Add a permission → Microsoft Graph → Application permissions → add the one permission above → Grant admin consent.
If you chose All sites, your setup is done — skip to Add the Account in PlaidCloud. If you chose Selected sites, grant the app to each site next.
Grant the App Access to Each Site (Selected Model)
Section titled “Grant the App Access to Each Site (Selected Model)”Sites.Selected grants the application no access on its own — a SharePoint or Global administrator must grant it to each site you want it to reach. There is no admin-center screen for this, so you use two Microsoft Graph calls in Graph Explorer. Because you grant sites one at a time, sensitive sites simply are never granted.
One-time setup. In Graph Explorer, signed in as a SharePoint/Global administrator, open the Modify permissions tab and click Consent on Sites.FullControl.All (this scope is what lets you set site grants). If a later query returns accessDenied, this consent is what’s missing — sign out and back in after consenting to refresh the token.
Step 1 — Find the Site ID
Section titled “Step 1 — Find the Site ID”List the sites in your tenant (method GET):
GET https://graph.microsoft.com/v1.0/sites?search=*&$select=displayName,webUrl,idOr resolve a single site directly by its URL:
GET https://graph.microsoft.com/v1.0/sites/contoso.sharepoint.com:/sites/TeamNameCopy the site’s id from the response — it has the form contoso.sharepoint.com,<guid>,<guid>.
Step 2 — Grant the App
Section titled “Step 2 — Grant the App”Set the method to POST against that site’s permissions collection (paste the id from Step 1):
POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissionsOn the Request body tab, paste the following — set roles to ["read"] or ["write"], and use your app’s Application (client) ID:
{ "roles": ["read"], "grantedToIdentities": [ { "application": { "id": "your-client-id", "displayName": "PlaidCloud" } } ]}Run the query. A success returns a permission object with an id and your roles. Repeat Step 2 for each site you want PlaidCloud to reach. To review what a site has granted:
GET https://graph.microsoft.com/v1.0/sites/{site-id}/permissionsAdd the Account in PlaidCloud
Section titled “Add the Account in PlaidCloud”- Sign into PlaidCloud and select the workspace where the account will reside.
- Go to
Document→Manage Accounts→ + New Account. - Choose OneDrive as the Service.
- Enter a name and description, and choose a Security Model (leave
Privateif unsure). - Under Auth Credentials, paste the Client ID, Client Secret, and OneDrive Tenant ID from the app registration.
- In SharePoint Site URL, paste the URL of a site the app has been granted (for example
https://contoso.sharepoint.com/sites/TeamName). The Drive/Site list then shows that site’s document libraries — pick the one to use as the account’s root. This fills in the Start Path. - Select Save.