OneDrive Setup
Step-by-step guide to creating Azure AD app credentials for BAP OneDrive storage.
OneDrive Setup
This guide walks through creating an Azure AD app registration to connect Microsoft OneDrive as a storage backend for BAP.
Prerequisites
- A Microsoft account (personal or work/school)
- Access to the Azure Portal
Step 1: Register an Application
- Go to Azure App Registrations
- Click "New registration"
- Fill in:
| Setting | Value |
|---|
| Name | BAP Storage (or any name) |
| Supported account types | Accounts in any organizational directory and personal Microsoft accounts |
| Redirect URI (Web) | Your BAP OAuth callback (see below) |
- Click "Register"
Redirect URI
| Environment | Redirect URI |
|---|
| Development | http://localhost:8080/api/storages/oauth/callback |
| Production | https://yourdomain.com/api/storages/oauth/callback |
Step 2: Get Application (Client) ID
- After registration, you'll land on the Overview page
- Copy the Application (client) ID — this is your Client ID
- Save it — you'll need it for BAP
Step 3: Create a Client Secret
- In the left sidebar, click "Certificates & secrets"
- Under "Client secrets", click "New client secret"
- Add a description (e.g.
BAP) and choose an expiry (recommended: 24 months)
- Click "Add"
- Immediately copy the Value — it's only shown once
- Save it — this is your Client Secret
- In the left sidebar, click "API permissions"
- Click "Add a permission"
- Select "Microsoft Graph"
- Select "Delegated permissions"
- Search for and enable:
| Permission | Description |
|---|
Files.ReadWrite.All | Read and write all files the user can access |
offline_access | Maintain access to data (for refresh tokens) |
- Click "Add permissions"
- If you see a "Grant admin consent" button and have admin access, click it (optional for personal accounts)
Step 5: Verify Settings
Your app should now have:
| Setting | Value |
|---|
| Application (client) ID | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Client secret | The value you copied in Step 3 |
| Redirect URI | Your BAP callback URL |
| API permissions | Files.ReadWrite.All, offline_access |
Important Values for BAP
| Value | Where to Find |
|---|
| Application (Client) ID | Overview page |
| Client Secret | Certificates & secrets → Client secrets → Value |
| Redirect URI | Authentication → Redirect URIs |
Troubleshooting
"AADSTS50011: The redirect URI does not match"
- The redirect URI in BAP must exactly match what's registered in Azure
- Check protocol (
http vs https), domain, port, and path
- Trailing slashes matter
"AADSTS7000215: Invalid client secret"
- Client secrets expire — check the expiry date in Azure Portal
- Make sure you copied the Value, not the Secret ID
- Create a new secret if the old one expired
"Insufficient privileges"
- Verify
Files.ReadWrite.All is listed under API permissions
- For work/school accounts, an admin may need to grant consent
- For personal accounts, consent is granted during the OAuth flow
"AADSTS700016: Application not found"
- Double-check the Application (Client) ID
- Ensure the app registration is in the correct Azure AD tenant
- If using "Accounts in any organizational directory", the app must be multi-tenant
Security Notes
- Keep your Client Secret secret — never commit it to version control
- Rotate secrets before they expire (Azure shows expiry dates)
- Use delegated permissions (not application permissions) — BAP acts on behalf of the user
- Limit scope —
Files.ReadWrite.All is the minimum needed; don't add unnecessary permissions
Personal vs Work/School Accounts
| Account Type | Notes |
|---|
| Personal (Outlook.com, Hotmail) | Works immediately; consent granted during sign-in |
| Work/School (Microsoft 365) | May require admin consent for Files.ReadWrite.All |
For BAP, personal accounts are simpler. Work/school accounts may require IT admin approval.
Next Steps
- Return to Connecting Storage to complete the setup
- Add your Application ID and Client Secret in the BAP dashboard
