FME Version
Introduction
This article will walk through configuring a OneDriveConnector web connection in FME Form using a single tenant Azure app registration with delegated Graph API permissions. Delegated permissions applied to the Azure app registration require a user to authenticate the FME web connection with valid Microsoft credentials. This article is for single tenant; for multitenant please see How to Create a OneDriveConnector Multitenant Web Connection in FME Form
Please note that Microsoft Azure Portal is subject to change at any time; the instructions and screenshots provided in this article may be slightly different from what other users see in their Azure Portal menus, but the concepts for configuring the Azure app registration described herein remain the same.
Requirements
Access to Microsoft Azure Portal with permissions required to create and manage an Azure app registration.
Step-by-step Instructions
Part 1: Create the Azure App Registration
Before creating a OneDriveConnector web connection in FME Form, you must create an app registration in Microsoft Azure Portal.
1. Register an App in the Azure Portal
Log into the Microsoft Azure Portal and access the App registrations view.
Add a new registration.
Choose the option "Accounts in this organizational directory only (Single tenant)’’. Leave the Redirect URI blank for now; we will update this later. Click Register.
2. Obtain the Client ID and Tenant ID values
On the new app registration's Overview page, take note of the Application (client) ID value and Directory (tenant) ID value. These values will be used to configure the new FME web service in a later step.
You can confirm your app registration is single tenant by checking on the value of 'Supported account types'. Single tenant app registrations will display a value of 'My organization only' for this setting.
3. Add the 'Moblie and Desktop application' Platform, with Custom Redirect URI
Click the Authentication option along the left-side menu, and then select 'Add a platform'. Choose the 'Mobile and Desktop applications' platform.
Now enter the following value as a Custom Redirect URI, replacing [TENANT ID] with the tenant ID value you obtained in Step 2 above.
https://login.microsoftonline.com/[TENANT ID]/oauth2/nativeclient
Click Configure at the bottom left.
You should now see the Mobile and desktop applications platform enabled for you Azure app registration, with your custom Redirect URI added to the list of default URIs.
4. Add Delegated Graph API Permissions
Select the API Permissions option along the left-side menu, and then select 'Add a permission'.
Choose Microsoft Graph from the Request API Permissions pane that opens at right.
Click Delegated permissions, then search for and check off Files.ReadWrite.All. Click Add Permissions.
Once added, you should see the Files.ReadWrite.All permission appear in the list of Configured permissions in the API Permissions view of your Azure app registration.
Now your single-tenant Azure app registration is complete.
If you have the ability to do so, select 'Grant admin consent for <Tenancy Name>', just above the table of API permissions as shown in the API Permissions view of your Azure app registration. Granting admin consent to your Azure app registration from Azure Portal will remove the need to do so in FME Workbench.
Part 2: Configure the Web Service and Connection in FME Form
A OneDriveConnector web service must be configured before the web connection can be created. Please follow these steps to configure the web service needed.
1. Access the Manage Web Services Menu in FME Workbench
In FME Workbench, navigate to Tools > Options > Web Connections > Manage Services
2. Create a New Web Service
From the Manage Web Services dialog that opens, select the plus (+) button below the list of web services at left, and then choose Create From > Microsoft OneDrive (Graph).
Do not choose the Microsoft OneDrive web service option, sitting just above the Microsoft OneDrive (Graph) web service option. This secondary web service template is a legacy option and will not function correctly with the current version of the OneDriveConnector.
3. Configure the New Web Service
Make sure you have the Application (client) ID value and the Directory (tenant) ID value, obtained from Part 1 - Step 2 above, on hand. In the web service definition that appears in the right-side pane of the Manage Web Services dialog, please make the following adjustments:
- Web Service Name: provide a unique name for your new web service. It is recommended that the web service's name include an indication of the transformer that it supports and the Azure app registration upon which it is based. This naming convention makes it easy to troubleshoot any issues that arise with the web service
- Client ID: enter the Application (client) ID value
- Client Secret: leave this value completely blank, and marked as Optional / Not Required
- Redirect URI: https://login.microsoftonline.com/[TENANT ID]/oauth2/nativeclient
-
Authorization Parameters URL
- replace /common/ with /[TENANT ID]/
- ensure you see '&scope=offline access files.readwrite.all'
- see the note about the &prompt portion, below
- Retrieve Token Parameters URL: replace /common/ with /[TENANT ID]/
- Refresh Token Parameters URL: replace /common/ with /[TENANT ID]/
Click Apply, at the bottom-right of the web service definition, to save this configuration.
It's important to ensure that the web service's Redirect URI value exactly matches the custom redirect URI that was added to the Mobile and Desktop applications platform of the Azure app registration in Part 1: Step 3, above. If these two values do not match, the web service will not function correctly.
If you have already granted admin consent to the Azure app registration in Azure Portal, or your Azure Admin has granted consent to the app registration, you can change the &prompt portion of the web service's Authorization URL to &prompt=select_account or &prompt=login to avoid being prompted to grant consent in FME.
4. Test the New Web Service
Select the Test option, just above Apply, at bottom right of the web service definition. When prompted, enter your Microsoft user credentials. If Microsoft prompts you to grant consent to the Azure app registration, click Accept.
If this web service test is successful, the following dialog will appear:
Once the web service is tested successfully, you can create the web connection. Close the Manage Web Services dialog to return to the Web Connections menu of FME Options.
The Microsoft user account used for authenticating the web service must have access to the target OneDrive resources you wish to work with in FME. If your Microsoft user account does not provide access to the target OneDrive resources, FME will not be able to access the resources.
5. Create the Web Connection
From the Web Connections menu, click the plus (+) button below the Connections table and choose to Add a new web connection.
Choose the web service that you just created and tested above, and give the web connection a unique name. Click OK in the Edit Web Connection dialog. You will be prompted again to authenticate with Microsoft.
After successfully authenticating, the new web connection will appear in the Connections table of the Web Connections menu. The new web connection is now ready for use in your FME Form integrations with Microsoft OneDrive.
Related Resources
How to Create a OneDriveConnector Multitenant Web Connection for FME Form
How to Create a OneDriveConnector Web Connection for FME Flow
Comments
0 comments
Please sign in to leave a comment.