UiPath Documentation
integration-service
latest
false
UiPath logo, featuring letters U and I in white

Integration Service user guide

Last updated Mar 16, 2026

Microsoft OneDrive and SharePoint authentication

Overview

In Integration Service, when you create a connection to one of our Microsoft Graph-based connectors, you can choose between the following authentication options:

  • Client Certificate Authentication – connects using a client certificate instead of a client secret.
  • OAuth 2.0 Authorization code – connects to the UiPath public application.
  • OAuth 2.0 Client credentials - connects using a service account.
  • Bring your own OAuth 2.0 app – connects to a private application you create.
Note:

For more details regarding the different authentication types, refer to the How to connect to Microsoft 365 activities guide.

Note:

This section applies only to the OAuth 2.0 Authorization code and Bring your own OAuth 2.0 app authentication options.

Many organizations require administrator consent before users can connect to external applications. The admin consent workflow requires an admin to approve the app registration for specific users or groups before a connection is established.

If your organization enforces admin consent, you may encounter an error during connection creation stating that the app needs permission to access resources in your organization, and that only an admin can grant that access. This error is not caused by a product issue, it requires action from your Azure administrator.

For background information, check Overview of admin consent workflow and User and admin consent in Microsoft Entra ID in the Microsoft documentation.

Requesting admin approval

If you encounter the error, submit an approval request directly from the Microsoft sign-in screen:

  1. On the Approval required screen, enter a business justification in the reason for requesting access field.
  2. Select Request approval.

Your administrator receives the request by email and can review it in the Microsoft Entra admin center.

Approving the request (admin)

Prerequisites:

  • You have the Global Administrator, Application Administrator, or Cloud Application Administrator role in Microsoft Entra ID.

To approve a pending admin consent request:

  1. Sign in to the Microsoft Entra admin center.
  2. Navigate to Entra ID, then to Enterprise apps.
  3. Under Activity, in the left navigation, select Admin consent requests.
  4. Select the My Pending tab, then select the pending request from the list.
  5. Review the permissions the application is requesting.
  6. Select Review permissions and consent to view the permissions being requested, then select Accept to grant consent.
  7. To reject, select Deny, and provide a justification.

The user who submitted the request is notified of the decision.

For full details on the approval process, check Review admin consent requests in the Microsoft documentation.

Note:

Integration Service impersonates the user that creates the connection. The credentials of the user offer access to all of the same resources that they have in the given application. If you share the connection, every change made with that connection is made on behalf of that user.

If you want the connection user to be the same as the authenticated user, apply one of the following options:

  • Select the Consent on behalf of your organization option during the consent process.
  • Update the consent settings in Microsoft Entra ID after the application has been registered. This is required so that the consent settings match the settings when an administrator grants consent on behalf of the organization. Then, you can recreate the connection.

Client Certificate Authentication

Scopes

The connector requires the following minimum scopes to create a connection: Files.Read.

The connector requires the following full set of scopes for all activities to function: offline_access, Files.Read, Files.Read.All, Files.ReadWrite, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, profile, openid, email, User.Read.All, User.Read.

To add more granular permissions, refer to the activities documentation.

Adding the Microsoft OneDrive and SharePoint connection

To create a connection to your Microsoft OneDrive and SharePoint instance, perform the following steps:

  1. Select Orchestrator from the product launcher.
  2. Select a folder, and then navigate to the Connections tab.
  3. Select Add connection.
  4. To open the connection creation page, select the connector from the list. You can use the search bar to find the connector.
  5. Select the Client Certificate Authentication authentication type.
  6. Configure the following fields:

    • Client ID - You can find the ID in the Overview section of your Microsoft Azure application registration.

    • Password for the certificate - The password you set during the certificate creation.

    • OAuth base64 client certificate - The client certificate is generated in a .pfx file format, which you must convert to Base64-encoded format and provide it in this field.

    • Tenant ID - You can find the Microsoft Azure tenant ID for an app in the Overview section of your Microsoft Azure application registration.

    • Environment - Optionally, select an environment from the dropdown list:

      • Office 365 (default)
      • US Government L4 - Public Sector domain
      • US Government L5 - Public Sector domain
      • China Select Office 365 (default) for all regions, and only switch to Government or China for cloud deployments.
      Note:

      For more details on environments, check Microsoft Graph and Graph Explorer service root endpoints.

    • Account - Enter the user principal name (UPN) of the account or shared mailbox that the system should use in the connection. This is required for the connection to be established.

  7. Select Connect.
  8. Authenticate with your Microsoft email address and password.

OAuth 2.0 Authorization code

Scopes

Mandatory scopes: openid, email, offline_access, Files.Read.

The connector requires the following minimum scopes to create a connection: openid, offline_access, email, and Files.Read.

The connector requires the following full set of scopes for all activities to function: offline_access, Files.Read, Files.Read.All, Files.ReadWrite, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, profile, openid, email, User.Read.All, User.Read.

To add more granular permissions, refer to the activities documentation.

Adding the Microsoft OneDrive and SharePoint connection

To create a connection to your Microsoft OneDrive and SharePoint instance, perform the following steps:

  1. Select Orchestrator from the product launcher.
  2. Select a folder, and then navigate to the Connections tab.
  3. Select Add connection.
  4. To open the connection creation page, select the connector from the list. You can use the search bar to find the connector.
  5. Select the OAuth 2.0 Authorization code authentication type.
  6. Configure the following:
    • Scope - Optionally, add or remove permissions for your connector.
    • Environment - Optionally, select an environment from the dropdown list:
      • Office 365 (default)
      • US Government L4 - Public Sector domain
      • US Government L5 - Public Sector domain
      • China Select Office 365 (default) for all regions, and only switch to Government or China for cloud deployments.
      Note:

      For more details on environments, check Microsoft Graph and Graph Explorer service root endpoints.

  7. Select Connect.
  8. Authenticate with your Microsoft email address and password.

Refresh tokens for OAuth applications

Refresh tokens for OAuth applications can be invalidated or revoked at any time by Microsoft. This can happen for different reasons, such as timeouts and revocations. For details, check the official Microsoft documentation.

Note:

Token invalidation results in failed connections. Automations are unable to run without fixing connections.

Make sure to follow best practices from Microsoft when creating your OAuth applications. For full details on how to create a Microsoft OAuth app, check the Microsoft documentation.

This issue affects not only the OneDrive & SharePoint connector, but all Microsoft Graph-based connectors, such as Outlook or Teams.

OAuth 2.0 Client credentials

Scopes

The connector requires the following minimum scopes to create a connection: Files.Read.

The connector requires the following full set of scopes for all activities to function: offline_access, Files.Read, Files.Read.All, Files.ReadWrite, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, profile, openid, email, User.Read.All, User.Read.

To add more granular permissions, refer to the activities documentation.

Adding the Microsoft OneDrive and SharePoint connection

To create a connection to your Microsoft OneDrive and SharePoint instance, perform the following steps:

  1. Select Orchestrator from the product launcher.
  2. Select a folder, and then navigate to the Connections tab.
  3. Select Add connection.
  4. To open the connection creation page, select the connector from the list. You can use the search bar to find the connector.
  5. Select the OAuth 2.0 Client credentials authentication type.
  6. Configure the following:

    • Client ID - You can find the ID in the Overview section of your Microsoft Azure application registration.

    • Client Secret - The client secret from the Certificates & secrets section of your Microsoft Azure application.

    • Tenant ID - The Microsoft Azure tenant ID for an app from the Overview section.

    • Environment - Optionally, select an environment from the dropdown list:

      • Office 365 (default)
      • US Government L4 - Public Sector domain
      • US Government L5 - Public Sector domain
      • China Select Office 365 (default) for all regions, and only switch to Government or China for cloud deployments.
      Note:

      For more details on environments, check Microsoft Graph and Graph Explorer service root endpoints.

    • Account - Provide the account used to impersonate a user.

  7. Select Connect.

Bring your own OAuth 2.0 app

Overview

To learn how to create an application, check the official Microsoft documentation: Register an application with the Microsoft identity platform.

Note:

This is an advanced functionality and requires admin privileges in the target application. Work with your IT administrator to set up your application successfully.

Requirements

When you create your own application to use with Integration Service, make sure you meet the following requirements:

  1. Configure the application as a Multi-tenant or Single-tenant application.
  2. Configure a Web application.
  3. Configure a Web Redirect URI. The Redirect URI (or callback URL) for your OAuth 2.0 application is provided in the authentication screen when creating a connection: https://cloud.uipath.com/provisioning_/callback.
  4. You must set up delegated permissions. For more information, refer to Permissions in the Microsoft official documentation.
  5. Generate a client secret for your application.
Important:

The advantage of using your private OAuth application is that you can customize permissions depending on your actual needs. To learn which scopes are required for each activity in the Microsoft 365 package, refer to Working with scopes and check out the activities documentation. The connector uses Microsoft Graph API. Refer to the Microsoft Graph permissions reference page for details on all permissions.

After you create your application, use its Client ID and Client Secret to create a connection with the Microsoft connectors.

Scopes

  • Mandatory scopes: openid, email, offline_access, Files.Read.
  • The connector requires the following minimum scopes to create a connection: openid, offline_access, email, and Files.Read.
  • OneDrive triggers require the following minimum scopes:
    • For events on SharePoint sites: openid, offline_access, and User.Read.All or User.Read and Sites.Read.All.
    • For events on groups and calendars: Group.Read.All
    • For all the remaining event types: Files.Read.All

The connector requires the following full set of scopes for all activities to function: offline_access, Files.Read, Files.Read.All, Files.ReadWrite, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, profile, openid, email, User.Read.All, User.Read.

To add more granular permissions, refer to the activities documentation.

Adding the Microsoft OneDrive and SharePoint connection

To create a connection to your Microsoft OneDrive and SharePoint instance, perform the following steps:

  1. Select Orchestrator from the product launcher.
  2. Select a folder, and then navigate to the Connections tab.
  3. Select Add connection.
  4. To open the connection creation page, select the connector from the list. You can use the search bar to find the connector.
  5. Select the Bring your own OAuth 2.0 app authentication type.
  6. Configure the following:
    • Client ID - You can find the ID in the Overview section of your Microsoft Azure application registration.
    • Client Secret - The client secret from the Certificates & secrets section of your Microsoft Azure application.
    • Scope - Optionally, add or remove permissions for your connector.
    • Tenant ID - The Microsoft Azure tenant ID for an app from the Overview section.
      Note:
      • If you use a multi-tenant application, keep the default value common.
      • If you use a single-tenant application, retrieve the tenant ID from Azure. For more details, check How to find your Microsoft Entra tenant ID.
    • Environment - Optionally, select an environment from the dropdown list:
      • Office 365 (default)
      • US Government L4 - Public Sector domain
      • US Government L5 - Public Sector domain
      • China Select Office 365 (default) for all regions, and only switch to Government or China for cloud deployments.
      Note:

      For more details on environments, check Microsoft Graph and Graph Explorer service root endpoints.

  7. Select Connect.

Refresh tokens for OAuth applications

Refresh tokens for OAuth applications can be invalidated or revoked at any time by Microsoft. This can happen for different reasons, such as timeouts and revocations. For details, check the official Microsoft documentation.

Note:

Token invalidation results in failed connections. Automations are unable to run without fixing connections.

Make sure to follow best practices from Microsoft when creating your OAuth applications. For full details on how to create a Microsoft OAuth app, check the official Microsoft documentation.

This issue affects not only the OneDrive & SharePoint connector, but all Microsoft Graph-based connectors, such as Outlook or Teams.

Was this page helpful?

Connect

Need help? Support

Want to learn? UiPath Academy

Have questions? UiPath Forum

Stay updated