Azure Active Directory permissions

[1gravity]

I've read through pages and pages of documentation but there's no concrete answer to the question what permissions an application for OneDrive for business needs in the active directory (ADAL).

This https://dev.onedrive.com/app-registration.htm simply states:

Specify the permission levels your app requires from the Office 365 API applications in Azure using scopes

Scopes don't match the permissions in the Azure AD at all, they seem to be a concept for the non business OneDrive.

I added a bunch of applications and selected all permissions I could find and that seems to give my app access but I want to know what the minimal set of permissions is to get access to an app specific folder only (not the whole drive) which would match the onedrive.appfolder scope.

[hschottm]

The SDK documentation is quite a mess. What I found out experimenting with it was that I need the following "permissions to other applications" for my native Azure AD app:

Windows Azure Active Directory (which is available by default)

• Read and write directory data
• Access the directory as the signed-in user
• Sign in and read user profile

(I enabled the above 3 Delegated Permissions)

Additionally to by able to write and write to the users OneDrive for Business (which is actually a Sharepoint resource) you need permissions for

Office 365 Sharepoint Online

• Read and write managed metadata
• Run search queries as a user
• Read and write user files

To get the delegated permissions for Office 365 Sharepoint Online, you need to go to your AD and Add an application from the gallery and select Office 365 Sharepoint Online. But, apart from the SDK documentation this is not working with an Office 365 Developer account for $99 / year because it doesn't have the permissions to use the Office 365 Sharepoint Online application. I only got this working with a 30-day trial of Office 365 or - if you already have an existing Office 365 subscription that is eligible to use the Sharepoint Online services.

With these permissions I got my OneDrive for Business app working with read and write permissions using the OneDrive SDK.

[1gravity]

Thank you for your answer. I'm currently testing with these permissions. At least the authentication went through. I do have the Office 365 Sharepoint Online permission in my developer account so I'll stick with this one at the moment.

The whole Office 365 subscription model is a mess imo and that is reflected in the fact that I basically have to do double work to integrate OneDrive (regular OneDrive and OneDrive for Business) and I don't really see why I should even be obliged to subscribe to anything. Microsoft should do everything to bring developers on board to integrate with their services because that ultimately increases their user base. Every competitor (except Apple) has realized that asking money to integrate with one of their APIs simply doesn't make sense. I guess that's leftovers from the time when they only did closed-source and asked money for every single service. Even Microosoft will come around. As far as documentation goes, yes that's messy too but to be fair, the competitors aren't doing much better. DropBox's Javadoc is a joke and Google Apis in general are hard to figure out mainly they change so quickly and documentation lags behind.

[hschottm]

@1gravity: you are so right, the process with OneDrive for Business is a complete mess. I am currently trying to get a Microsoft Official to tell me which subscription I actually need and why this is necessary. I guess you are having the same reason like I do, providing OneDrive for Business access for your customers but you do not want to use it by yourself or for your company and I guess this is the only model that Microsoft has for OneDrive for Business. The only way I got this working was to create a 30-day-trial subscription for Office 365. With this subscription you are able to connect to Azure AD and to add the Microsoft Office Sharepoint Online app which has the necessary permissions to allow users using their OneDrive for Business with the app. I also tried to get a free trial of the Office 365 Developer subscription which is listed in the FAQ on how to create a OneDrive for Business app, but this subscription is lacking the Microsoft Sharepoint Online subscription which is an additional $4.10 per user per month. Then I found out that there is a way to get a 1 year free Office 365 Developer subscription when you register with the Office 365 Developer network but when I did this and got the link to activate the free 1 year Office 365 Developer subscription I converted my Office 365 Developer trial to this 1 year free subscription, i now are no longer able to access the Azure AD because Azure tells me that I use a non-payed Office 365 subscription which is not eligible to use it with an Azure AD... Seems Microsoft doesn't want developers to support their business products and make them more attractive for the customers. Like you I don't see why I should pay to provide access to a Microsoft product which only benefits Microsoft. And there is obviously no link to a support team or person which is capable of understanding what we are doing and what we are dealing with. It's sad I invested so much time to support OneDrive for Business, but I think I will keep on telling our customers that Microsoft is incompetent and not willing to provide developer support for their business products.

[1gravity]

I can feel your pain... Even from a regular user perspective it's a pain in the a... I only have an Office 365 Home subscription and wanted to get Visio but that subscription doesn't allow me to have Visio, I'd have to convert to a business subscription. I then chatted with them about 1/2 hours to figure out how to convert and after that 1/2 hours they gave me a phone number to call. I then decided that this all just too cumbersome and if they don't want my money, so be it. I found a web based Visio replacement that I signed up for in 2 minutes and it's doing all I need. Back to OneDrive. I signed up for the free trial Office 365 Developer subscription and I do have access to the Microsoft Office Sharepoint app including the permissions so I'm not sure why you wouldn't have it?

[hschottm]

@1gravity There have been so many issues with all these subscriptions, I wouldn't wonder when I had the wrong values in my browser cache or whatever. The initial subscription didn't work, there was an error, then I found it somewhere in the Administration settings and activated it, maybe that was the problem. I can't say that the whole Office 365 / Azure stuff is working smoothly, that's what I expect at least when they offer these services for money...