Connect Microsoft OneDrive with data federation

This page describes how to connect Microsoft OneDrive to Agentspace using data federation.

Use the following procedure to search your Microsoft OneDrive account using federated search.

About data federation

With data federation, Agentspace directly retrieves information from the third-party data sources using APIs, instead of copying the data into Agentspace. Using this approach, you can access external data sources immediately, without waiting for ingestion.

Before you begin the Microsoft OneDrive federated setup

Perform the following steps before connecting to your Microsoft OneDrive data store using federated search.

Register Agentspace as an OAuth 2.0 application in Microsoft Entra ID and collect the following information:
- Client ID
- Client secret
- Instance URL: The URL of your organization's OneDrive. For example, https://example-my.sharepoint.com.
- Tenant ID

Configure the following Microsoft Graph application permissions with the consent of a Microsoft OneDrive administrator:

Permission	Type	Description
Files.Read.All	Delegated	Read all files that user can access
Sites.Read.All	Delegated	Read items in all site collections

Add the following URLs as web callback URLs:
- https://vertexaisearch.cloud.google.com/console/oauth/default_oauth.html
- https://vertexaisearch.cloud.google.com/oauth-redirect

Create a federated search connector with OneDrive

Use the following steps for Google Cloud console to perform federated search through Microsoft OneDrive from Agentspace.

In the Google Cloud console, go to the Agentspace page.

Agentspace
In the navigation menu, click Data Stores.
Click Create Data Store.
On the Select a data source page, select OneDrive Federated Search to connect your third-party data source.
Under Authentication settings, select the authentication method to use.
1. Enter the Client ID, Client secret, Instance URL, and Tenant ID.
2. Click Authenticate.
3. Click Continue.
Note: The next step (selecting entities to sync) will be skipped automatically, because this data source supports only one entity type.
Select a region for your data source.
Enter a name for your data source.
Click Create. Agentspace creates your data store and displays it on the Data Stores page.

Once the data store is created, go to the Data Stores page and click your data store name to see the status. When the Connector state changes from Creating to Active, the federated search connector is ready to be used.

User authorization

After creating a federated search data store, you see it listed as one of the data sources in your source management panel. If you haven't previously authorized Agentspace, then you can't select the data source. Instead, an Authorize button appears.

To initiate the authorization flow:

Click Authorize. You are redirected to the OneDrive authorization server.
Sign in to your account.
Click Grant access. After granting access, you are redirected back to Agentspace to complete the authorization flow. Agentspace obtains the access token and uses it to access the Microsoft OneDrive search.

Query execution

After you authorize Microsoft OneDrive, when you enter a search query:

Agentspace sends your search query to the Microsoft Graph API.
Agentspace blends the results with those from other sources and displays them.

Data handling

When using third-party federated search, your query string is sent to the third-party search backend. These third parties may associate queries with your identity. If multiple federated search data sources are enabled, the query might be sent to all of them.

Once the data reaches the third-party system, it is governed by that system's terms of service and privacy policies.

Error codes

The following table lists OneDrive error codes and descriptions.

Error code	Description
ONEDRIVE_MISSING_PERMISSION_1	The application does not have the required role `Files.Read.All` for the Graph API.
ONEDRIVE_MISSING_PERMISSION_2	The application does not have the required role `Group.Read.All` for the Graph API.
ONEDRIVE_MISSING_PERMISSION_3	The application does not have the required roles `User.Read.All` or `User.ReadBasic.All` for the Graph API.
ONEDRIVE_INVALID_SITE_URI	The instance URL is invalid.
ONEDRIVE_INVALID_AUTH	An error occurred when retrieving the Graph API access token. This may be due to an invalid client ID, an invalid secret value, or missing federated credentials.
ONEDRIVE_UNCATEGORIZED_ERROR	Invalid or no ACL is present in file.
ONEDRIVE_TOO_MANY_REQUESTS	OneDrive has received too many HTTP requests and has returned an HTTP 429 response.

Next steps

To attach your data store to an app, create an app and select your data store, following the steps in Create an app.
To preview how your search results appear after your app and data store are set up, see Preview search results. If you used third-party access control, see Preview results for apps with third-party access control.