integration-service
latest
false
UiPath logo, featuring letters U and I in white

Integration Service user guide

Automation CloudAutomation Cloud Public SectorAutomation Suite
Last updated Feb 11, 2025

Microsoft OneDrive & SharePoint authentication

Prerequisites

In Integration Service, when creating a connection to one of our Microsoft Graph-based connectors, you can choose between three authentication options:

  • OAuth 2.0 Authorization code – connects to the UiPath public application.
  • OAuth 2.0 Client credentials - uses a service account.
  • Bring your own OAuth 2.0 app – connects to a private application you create.
    Note:

    For more details regarding the different authentication types, refer to the How to connect to Microsoft 365 activities guide.

    Environment

    When you first access the Authentication screen, you can select an Environment. The available options are:

    • Office 365 (default)
    • US Government L4 - Public Sector domain
    • US Government L5 - Public Sector domain
    • China

    Admin consent

    Note: This section applies only to the OAuth 2.0 Authorization code and Bring your own OAuth 2.0 app authentication options.

    Many organizations require an administrator's consent before creating a connection to an external application. The admin consent workflow requires an admin to approve the app registration to specific users or groups before a connection is established. For more information, refer to Overview of admin consent workflow and User and admin consent in Microsoft Entra ID in the Microsoft documentation.

    Note:

    Integration Service impersonates the user that creates the connection. The user’s credentials offer access to all of the same resources that they have in the given application. If you share the connection, every change made to Microsoft SharePoint or OneDrive with that connection is made on behalf of that user.

    Scopes

    The connector requests the following permissions/scopes:

    • OAuth 2.0 Authorization code: offline_access, Files.Read, Files.Read.All, Files.ReadWrite, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, profile, openid, email, User.Read.All.
    • OAuth 2.0 Client credentials:
      • Minimal scopes for creating a connection: User.Read.All, Files.Read.
    • Bring your own OAuth 2.0 app:
      • Minimal scopes for creating a connection: openid, offline_access, User.Read.All, Files.Read.
      • Minimal list of scopes required for OneDrive triggers:
        • openid, offline_access, User.Read.All, Sites.Read.All – for events on SharePoint sites;
        • Group.Read.All – for events on groups and calendars;
        • Files.Read.All – for all the remaining event types.
    Note: If you authenticate using Bring your own OAuth 2.0 app, you benefit by default from the scopes configured at app creation. If you want to use the default app permissions, you can declare a common scope. This means you use only the permissions configured for that application in Azure. You can also declare additional scopes at connection creation, using the Scopes field. You will then be asked to grant the additional consent during sign-in.

    Add the Microsoft OneDrive & SharePoint connection

    To create a connection to your Microsoft OneDrive & SharePoint instance, you need to perform the following steps:
    1. Select Integration Service from Automation CloudTM.

    2. From the Connectors list, select Microsoft OneDrive & SharePoint. You can also use the search bar to narrow down the connector.
    3. Select the Connect to Microsoft OneDrive & SharePoint button.
    4. You are now redirected to the connection page.

      You can choose between two authentication types: OAuth 2.0 Authorization code or Bring your own OAuth 2.0 app.

      • If you select OAuth 2.0 Authorization code, select Connect, then authenticate using your Microsoft email address and password.
      • If you select OAuth 2.0 Client credentials, you must provide an Account. This represents the account used to impersonate a user.
      • If you select Bring your own OAuth 2.0 app, you must provide a Client ID and Client secret, the Tenant ID, and the Scopes you may need to interact with different activities. Check out the activities' documentation to learn what scopes they require.
        Note: If you are using a multitenant application, keep the default value for the Tenant ID (common). If you are using a single tenant application, retrieve the Tenant ID from Azure. Refer to How to find your Microsoft Entra tenant ID.
    5. Your connection has been added.

    Bring your own OAuth 2.0 app

    To learn how to create an application, go to Microsoft's official documentation and follow the described steps: Register an application with the Microsoft identity platform.

    Note: This is an advanced functionality and requires admin privileges in the target application. Work with your IT administrator to set up your application successfully.
    Requirements

    When creating your own application to use with Integration Service, you must consider the following requirements:

    1. You must configure the application as a Multitenant or Single tenant application.
    2. You must configure a Web application.
    3. You must configure a Web Redirect URI. The Redirect URI (or callback URL) for your OAuth 2.0 application is provided in the authentication screen when creating a connection: https://cloud.uipath.com/provisioning_/callback.
    4. You must set up delegated permissions. For more information, refer to Permissions in the Microsoft official documentation.
    5. Generate a client secret for your application.
    Important: The advantage of using your private OAuth application is that you can customize permissions depending on your actual needs. To learn which scopes are required for each activity in the Microsoft 365 package, refer to Working with scopes and check out the activities documentation.

    The connector uses Microsoft Graph API. Refer to the Microsoft Graph permissions reference page for details on all permissions.

    After you create your application, use its Client ID and Client Secret to create a connection with the Microsoft connectors.

    Refresh tokens for OAuth applications

    Refresh tokens for OAuth applications can be invalidated or revoked at any time by Microsoft. This can happen for different reasons, such as timeouts and revocations. For details, refer to Microsoft's official documentation regarding token expiration.

    Warning: Token invalidation results in failed connections and automations are unable to run without fixing connections.
    Make sure you follow the best practices from Microsoft when creating your OAuth applications. For details on how to create an OAuth 2.0 application, check out Microsoft's documentation.
    Note: This issue affects all Microsoft Graph-based connectors.

    Was this page helpful?

    Get The Help You Need
    Learning RPA - Automation Courses
    UiPath Community Forum
    Uipath Logo White
    Trust and Security
    © 2005-2025 UiPath. All rights reserved.