Automate MFT supports multiple authentication options to connect to OneDrive online. Each method requires you to register an application in Microsoft Entra ID (Azure AD) and configure permissions. This process allows Automate MFT to connect to your OneDrive tenant as an application, without requiring an interactive user log on. Each method is explained with step-by-step configuration instructions:
  • Certificate Access
  • App Access

Prerequisites

  • Microsoft Entra ID (Azure AD) set up: You must have an Azure Portal Admin account to access and manage Microsoft Entra ID settings.
  • Self-signed certificate (for Certificate Access):
    • Generate using OpenSSL or PowerShell.
    • RSA 2048 bits is the minimum key size.
    • The certificate with the private key is imported into the Keys and Certs library in Automate MFT. The public key (.cer) is uploaded to Entra.
    • You can also use a PFX file without a private key embedded.

Certificate Access

OneDrive authentication is available as Microsoft Entra ID authentication through the Certificate Access option.

Microsoft Entra ID set up
  1. Open the Microsoft Azure Portal. If it is the first time that you access the Azure portal with your account, you will have to register a new Azure subscription.
  2. Click Microsoft Entra ID > App registration, where you will find the list of Microsoft Entra ID applications registered in your tenant.
  3. Click New registration, provide a name for your application, such as Automate MFT OneDrive. Click Register.
  4. To add API permissions, click API permissions > Add a permission, and choose the permissions you want to grant to this application. You must have Graph > User.Read.All and then either Graph > Files.ReadWrite.All, Graph > Files.Read.All, or Graph > Sites.Selected.

    To save the permissions, click Add permissions.

  5. In the Grant Consent section, click the Grant admin consent for organization name button and confirm the action by clicking the Yes button that appears at the top.

    You must grant admin consent for each API added.

  6. To connect the certificate created in the prerequisites, click Certificates & secrets > Upload certificate. Select the .cer file you generated earlier and click add to upload it.
  7. To confirm that the certificate was successfully registered, click Manifest in the left menu and search for the keyCredentials property. It should be similar to this JSONexample:
      "keyCredentials": [
    {
      "customKeyIdentifier": "<$base64CertHash>",
      "endDate": "2021-05-01T00:00:00Z",
      "keyId": "<$guid>",
      "startDate": "2019-05-01T00:00:00Z",
      "type": "AsymmetricX509Cert",
      "usage": "Verify",
      "value": "<$base64Cert>",
      "displayName": "CN=<$name of your cert>"
     }
  ],
  8. To locate the Client (Application) ID and the Tenant (Directory) ID, navigate to Azure portal > Microsoft Entra ID > App registration > Overview.
Create the OneDrive authentication method in Automate MFT
  1. Upload the certificate private key to the Keys and Certs library in Automate MFT.
  2. Create a OneDrive authentication method in Automate MFT with Authentication set to Certificate Access. For more information , see OneDrive authentication method.
  3. Enter the client id and tenant id, which can be found in Azure Entra ID’s App registration overview menu.
  4. Select the certificate from the dropdown list.

App Access

OneDrive authentication is available as Microsoft Entra ID authentication through the App Access option, which utilizes a secret rather than a certificate.

Microsoft Entra ID set up
  1. Open the Microsoft Azure Portal with an administrative account.
  2. Click Microsoft Entra ID > App registration, where you will find the list of Microsoft Entra ID applications registered in your tenant.
  3. Click New registration, provide a name for your application and click Register.
  4. To add API permissions, click API permissions > Add a permission, and choose the permissions you want to grant to this application. You must have Graph > User.Read.All and then either Graph > Files.ReadWrite.All, Graph > Files.Read.All, or Graph > Sites.Selected.

    To save the permissions, click Add permissions.

  5. In the Grant Consent section, click the Grant admin consent for organization name button and confirm the action by clicking the Yes button that appears at the top.

    You must grant admin consent for each API added.

  6. To create a new Client secret, click Certificates & secrets > Generate secret. Copy the secret value immediately as it only accessible immediately after generation and is required to configure the authentication method in Automate MFT.
  7. To locate the Client (Application) ID and the Tenant (Directory) ID for the app registration, navigate to Azure portal > Microsoft Entra ID > App registration > Overview.
Create the OneDrive authentication method in Automate MFT
  1. Create a OneDrive authentication method in Automate MFT with Authentication set to App Access. For more information, see OneDrive authentication method.
  2. Enter the client id and tenant id, which can be found in Azure Entra ID’s App registration overview menu.
  3. Enter the client secret that was generated for the App registration.