Microsoft Entra ID app access for OneDrive and SharePoint Online
- Last Updated: May 28, 2026
- 3 minute read
- MOVEit Automation
- Version 2026
- Documentation
Sites.Selected, which limits the app to only the OneDrive sites or SharePoint
sites you explicitly grant.MOVEit Automation accesses OneDrive and SharePoint Online through Microsoft Graph APIs, which are secured using permissions defined in the Microsoft Entra ID app registration.
Applies to OneDrive and SharePoint Online
The steps in this topic apply to both OneDrive and SharePoint Online. Some configuration details differ depending on the service being used. The following table identifies which steps apply to each host type and authentication method.
| Configuration step | OneDrive | SharePoint Online |
|---|---|---|
| App registration | Yes | Yes |
| Sites.Selected permission | Yes | Yes |
| Grant site access | User’s OneDrive site | Site collection |
| Username required in host | Yes | No |
| Certificate or client secret | Both supported | Certificate (recommended) |
Prerequisites
- Microsoft Entra ID admin access to create an app registration and grant admin consent.
- Decide which credential type you will use:
- Certificate Access (recommended for long-lived unattended integrations)
- Client secret (requires rotation and secure storage).
Create the app registration
- Open the Microsoft Azure Portal.
- Click Microsoft Entra ID > App registration, where you will find the list of Microsoft Entra ID applications registered in your tenant.
- Click New registration, provide a name for your application and click Register.
Add API permissions (least privilege)
API permissions are configured in the Microsoft Entra ID app registration to allow the application to access Microsoft 365 resources (such as OneDrive and SharePoint Online) through Microsoft Graph.
Permissions are added and managed in the Azure portal and granted within your Microsoft Entra tenant.
- In the Azure portal, open your app registration, click API permissions > Add a permission. Select Microsoft Graph > Application permissions > Sites.Selected .
- To save the permissions, click Add permissions.
- Click Grant admin consent for your tenant.
Add credentials
- Certificate credential
- Create a TLS certificate. The certificate should be at least 2048-bit strength. It must be in .cer format.
- Export the certificate without the private key. Only the public key is required for Microsoft Entra ID. .
- In the app registration, go to Certificates & secrets > Certificates > Upload certificate and upload the .cer.
- Client secret credential
- In the app registration, go to Certificates & secrets > Client secrets > New client secret .
- Copy the value of the client secret and store it securely. You will need
the secret “value” from this page, and not the secret ID.Note: The secret value is shown only once and is required when configuring the OneDrive host in MOVEit Automation.
Obtain Tenant ID and Client ID
The Client (Application) ID and Tenant (Directory) ID are available on the Overview page of the App Registration in Microsoft Entra ID.
Grant site access
- For OneDrive: Grant access to the user’s OneDrive site. For example: https://<tenant>-my.sharepoint.com/personal/<user>.
- For SharePoint Online: Grant access to the site collection. For example: https://<tenant>.sharepoint.com/sites/<site>.
Grant Sites.Selected permissions to OneDrive and SharePoint sites
When using Sites.Selected, the app registration has no access until you explicitly grant it permission to specific sites.
- OneDrive access
- SharePoint Online access
For information about granting access to specific sites using PowerShell, see Grant Sites.Selected permissions.