OneDrive & SharePoint Online integration

This article covers the Foldr Cloud workflow. If you’re running a self-hosted Foldr appliance, see the self-hosted version of this article — appliances use a Microsoft client secret rather than a Federated Identity Credential.

Foldr Cloud integrates with Microsoft 365 so that OneDrive for Business, SharePoint Online sites, and Teams storage all appear inside Foldr alongside your other storage. Once a user’s Microsoft 365 account is linked, they can also edit Office documents directly in Office Online from the Foldr web app.

How the trust works

Rather than storing a long-lived Microsoft client secret in Foldr Cloud, your Entra app trusts Foldr’s identity provider (oidc.foldr.host) using a Federated Identity Credential (FIC) — the same pattern GitHub Actions, HCP Terraform and Azure DevOps use to talk to Microsoft.

When Foldr Cloud needs a Graph access token for your tenant:

1. Foldr signs a short-lived JWT (the client assertion) with a key held in its own AWS KMS HSM.
2. Foldr presents the JWT to Microsoft’s token endpoint in place of a client secret.
3. Microsoft verifies the signature against oidc.foldr.host’s public keys.
4. Because your Entra app has a Federated Identity Credential that trusts oidc.foldr.host for the specific subject identifying your Foldr tenant, Microsoft accepts the assertion and issues a Graph token.

The signing key never leaves Foldr’s HSM — even Foldr operators cannot extract it. You can revoke the trust at any time by removing the Federated Identity Credential from your Entra app.

Setup overview

Setup has three parts:

1. Register an Entra app in your Microsoft tenant (one app per Foldr Cloud tenant).
2. Add a Federated Identity Credential to the app, trusting oidc.foldr.host for your tenant’s subject.
3. Paste your Entra Tenant ID and Application (Client) ID into Foldr Cloud and run Test Connection.

1. Register the Entra app

1. Sign in to the Microsoft Azure portal with an administrative Microsoft account.

2. Open Microsoft Entra ID from the left-hand panel.

3. Go to App registrations > New registration.

4. Name the application (e.g. Foldr Cloud). The default supported-account-type setting (Accounts in this organizational directory only) is correct in most deployments.

5. Under Redirect URI, choose Web and enter:

   https://<your-foldr-subdomain>.foldr.cloud/services/microsoft/connect

   Replace <your-foldr-subdomain> with the subdomain your users use to reach Foldr (e.g. acme for acme.foldr.cloud).

6. Click Register.

Copy the Application (client) ID and Directory (tenant) ID from the Overview page. You’ll need both in step 3.

2. Add the Federated Identity Credential

The exact values for Issuer, Audience and Subject are shown in your Foldr settings page (Foldr Settings → Integrations → Microsoft) with copy buttons next to each. The values below are the canonical reference.

1. In your newly-registered app, open Certificates & secrets.

2. Switch to the Federated credentials tab and click Add credential.

3. For Federated credential scenario, choose Other issuer.

4. Fill in the form:

   Field	Value
   Issuer	https://oidc.foldr.host
   Subject identifier	foldr:tenant:<your-foldr-subdomain>:workload:graph-client
   Audience	api://AzureADTokenExchange
   Name	A label for your reference, e.g. Foldr Cloud workload identity

   The subject identifier is derived from your Foldr subdomain, not the Entra tenant ID. For example, acme.foldr.cloud becomes foldr:tenant:acme:workload:graph-client.

5. Click Add.

You don’t need to create a client secret. The whole point of the FIC is that there isn’t one.

3. Add API permissions

Open API permissions > Add a permission > Microsoft Graph, then add both Application and Delegated permission sets if you want to support both linking modes (most installations do).

Application permissions (for tenant-wide / automatic linking)

Choose Application permissions and add:

File operations:

• Files.ReadWrite.All
• Sites.ReadWrite.All
• Sites.Manage.All  (needed for SharePoint document libraries that have content approval enabled)

Teams:

• Channel.Create
• ChannelSettings.ReadWrite.All

Directory sync:

• User.Read.All
• Group.Read.All

Delegated permissions (for per-user / manual linking)

Choose Delegated permissions and add:

Sign-in basics (usually pre-selected):

• openid
• profile
• email
• offline_access
• User.Read

File operations:

• Files.ReadWrite.All
• Sites.ReadWrite.All
• Sites.Manage.All  (needed for SharePoint document libraries that have content approval enabled — without it, items in Pending or Rejected moderation status silently fail to appear in Foldr)

Teams:

• Channel.Create
• ChannelSettings.ReadWrite.All

Grant admin consent

After adding permissions, click Grant admin consent for <your tenant> at the top of the API permissions screen and confirm. Without this step, users will see a “needs admin approval” page when they try to sign in or link their account.

4. Wire it up in Foldr Cloud

1. Sign in to Foldr as an administrator and open Foldr Settings → Integrations → Microsoft.
2. Under Federated Identity Credential, verify that Issuer, Audience and Subject match what you entered in Entra. Use the copy buttons if you need to paste them back into Azure.
3. Enter:
   • Tenant ID — the Directory (tenant) ID from Azure
   • Client ID — the Application (client) ID from Azure
4. Click Save, then Test Connection.

If the federated credential is correctly configured, you’ll see a green success message confirming Microsoft accepted the assertion. If you get an error, the message will quote the exact Microsoft response — typical failures are:

• “No matching federated identity record” — the Subject identifier in Entra doesn’t match the one Foldr is signing. Verify your subdomain is correct on both sides.
• “AADSTS700016” — the Application (Client) ID or Tenant ID is wrong.
• “Authorization_RequestDenied” — admin consent hasn’t been granted.

5. Add Microsoft 365 storage shares

In Foldr Settings > Files & Storage, add shares using these storage addresses:

Share type	Storage address
OneDrive	%onedrive%
OneDrive with “Shared with Me”	%onedrivewithshared% (adds a Shared with Me folder to the root of the user’s OneDrive)
OneDrive shared items only	%onedriveshared% (a dedicated share showing items shared with the user)
SharePoint Online. Root site	%sharepoint%
SharePoint Online. Specific site	%sharepoint%(tenant.sharepoint.com/sites/site-name)
Teams	%teams% (or %teamsedu% for education tenants; adds the Class Materials library to each Teams channel)

For more detailed SharePoint configurations (subsites, specific document libraries, listing all libraries in a site) see Presenting SharePoint Online sites.

6. Allow users to sign in with Microsoft (optional)

The same Entra app and Federated Identity Credential you’ve just configured can also be used to let users sign in to Foldr with their Microsoft 365 account. This is a separate, optional toggle — the storage integration above works regardless.

See Microsoft Entra ID authentication (Foldr Cloud) for the steps. It’s quick: add one extra redirect URI to your Entra app, flip a toggle in Foldr Settings.

User experience

The first time a user accesses a Microsoft 365 share in Foldr, they’re prompted to link their account. Clicking Link account opens a Microsoft sign-in popup; once they sign in, the link is established and the share becomes browsable.

Users can manage the link from Me > Services in the web app. They can unlink and relink at any time. Tokens are refreshed automatically; users only need to relink if they explicitly unlink or revoke access in their Microsoft account.

Once linked in any Foldr app, the link is shared across all of them — web, desktop and mobile.

Document editing in Office Online

After the integration is in place, users can edit any Office document Foldr can preview, including documents on on-premises SMB shares connected via Connect. Open the document in the Foldr web app and click Edit with Office Online.

If the document is hosted in OneDrive or SharePoint, the user is editing natively and changes save automatically. If the document is hosted elsewhere, Foldr round-trips it through Microsoft 365 and saves changes back to the original location when the editing tab is closed.

Revoking the trust

To disconnect Foldr Cloud from your Microsoft tenant, either:

• Remove the Federated Identity Credential from your Entra app (immediate — Foldr can no longer mint tokens), or
• Delete the Entra app registration entirely (also immediate, also removes the audit history).

Either action takes effect within seconds. Foldr does not hold any other credential material that could continue to authenticate after the FIC is removed.

Related articles

• Microsoft Entra ID authentication (Foldr Cloud) — let users sign in to Foldr with their Microsoft 365 account using the same Entra app.
• Presenting SharePoint Online sites — storage-address recipes for individual sites, subsites and document libraries.
• Foldr for Microsoft Teams — file picker integration — surface Foldr inside Teams as an alternative file picker.
• OneDrive & SharePoint Online integration (self-hosted) — the appliance equivalent, using a Microsoft client secret instead of a Federated Identity Credential.