OneDrive for Business Setup
The connection between MyQ X and OneDrive for Business is configured in MyQ > Settings > Connections.
Click Add and select OneDrive for Business.
In the pop-up window, add a Title for your connection, and then you can select the preferred Mode:
Create automatically: MyQ X will facilitate the Azure application required for accessing OneDrive for Business content.
Set up manually: You want to manage all aspects of the application, and thus create it manually in your Azure tenant.
Users created manually or synchronized from sources other than Azure AD will not have access to the OneDrive for Business destination.
Create Automatically
This mode allows the administrator to have MyQ create the Enterprise Application (Service Principal) on their tenant and grant this application permissions to access OneDrive documents.
Considerations
If you are hesitant to grant even temporary administrative access for the creation of a client secret, the automatic connection procedure to ODB will not be available for use. In such cases, it's advisable to manually create an application within your organization's Azure environment and configure the connection to MyQ X by yourself (mode Set up manually). This approach ensures that you maintain full control over the application's permissions and the security aspects of the connection, aligning with your organization's specific security policies and compliance requirements.
Prerequisites
Users synchronized from Entra ID
For creating the service principal on the customer’s tenant, Application Administrator or Cloud Application Administrator roles are required.
For granting admin consent to the service principal, the Global Administrator role is required.
To finish all steps in the automatic setup, the Global Administrator role is required.
Steps to automatically set up the OneDrive for Business application
The administrator signs in with their Azure Administrator account. MyQ X for OneDrive for Business service principal is created on the tenant.
The administrator grants the delegated permission to manage Azure applications.
Permissions requested in this step:
Application.ReadWrite.All
(to create a Security key)Directory.Read.All
(to read the default domain name in the connected tenant so that it can be displayed in MyQ).
The administrator grants the MyQ X for OneDrive for Business enterprise application permissions to read/write to OneDrive and grants admin consent (individual users do not have to consent subsequently)
Permissions requested in this step:
Files.ReadWrite.All
.
Once the process is completed, the OneDrive for Business connector is saved, and the connection details are securely saved in MyQ.
Re-authorizing the OneDrive Business connection
The automatic connection to OneDrive Business can be changed after it has been created. By right-clicking on the connection, the Re-authorize option will be available in the context menu.
The user will be shown the same dialogue as when the connection was created. The user can repeat all the steps to create a new secret for the existing OneDrive Business connection. Or they can perform step 3 - Administrator’s consent, if it was not completed when the connection was created for any reason, for example, due to insufficient rights of the Azure administrator.
Also, the Re-authorize option allows you to change the type of connection created from automatic to manual, and vice versa.
Application management
The validity of the Secret is 2 years. Be sure to rotate the key when its expiration is due. You can do this with the Re-authorize option in MyQ.
Credentials for service principals are not visible in the Azure portal. They can be managed via PowerShell or Microsoft Graph API.
In case you need to revoke the app’s access or currently used Secret, you can simply delete the entire MyQ X for OneDrive Business enterprise application in Azure, and create a new one with the Re-authorize option in MyQ.
Additional information
If the automatic setup is completed again, it does not create a new instance of the application on the tenant, but the current application is updated (e.g. new secret on the service principal on the tenant created). If the MyQ X for OneDrive Business application has been removed from Azure, it is created again.
Service principal (enterprise application) is created on the tenant after Step 1 (without necessary permissions which are granted in Step 3). If the authorization code is provided in Step 2, the connector can be saved. Step 3 can be finished later (by right-clicking the OneDrive Business connector and selecting Re-authorize).
To better understand what MyQ is doing in this mode, Microsoft explains this method in their Developer documentation – Understand user and admin consent from the perspective of the application developer
Set Up Manually
It is expected that the administrator has configured the Azure application manually. They can directly provide credentials to their application - Tenant ID (directory ID), Application ID (client ID), Security key (secret key).
Follow the steps to manually create an Entra ID connection here.
During this process, you will obtain the Tenant ID, Client ID, and Security key of the application that you will provide to MyQ X in the next steps.
In the pop-up window, fill in the required information:
Title: Add a title for the connection.
Tenant ID: Add the Directory (tenant) ID you saved from Microsoft Entra.
Client ID: Add the Application (client) ID you saved from Microsoft Entra.
Security key: Add the (secret) Value you saved from Microsoft Entra.
Click Save and your OneDrive for Business connection is now complete.
Option “Application has access to OneDrive Business of all users”
The Application has access to OneDrive Business of all users checkbox lets the administrator set whether the application has already been given access to the OneDrive storage of users or not.
If unchecked, it is expected the application has been given only Delegated permissions, which means each user has to manually log in to the MyQ Web User Interface and click the “Connect” link to give the application permissions to access their data.
If checked, it is expected the application has been assigned Application permissions to access OneDrive data and the administrator has granted admin consent to the application, all manually in Azure Portal. The users do not have to manually connect their storage, OneDrive Business storage appears to be connected in the widget on their MyQ Web User Interface.
Conditions when this option is enabled:Manually created Azure application must have
Files.ReadWrite.All
permission of the Application type (not Delegated).Admin consent granted (“Granted” displayed in the Status column), can be granted with the “Grant admin consent” option.
Pairing users with their OneDrive
When the Automatic mode was used or Application has access to OneDrive Business of all users was checked in the manual setup, there is no user interaction needed for the users to use their OneDrive in MyQ. Users are paired with their OneDrive storage via User’s Active Directory Object ID (UUID). These are automatically imported only with the Azure AD user’s synchronization into MyQ. The UUID is synchronized from Central to Sites during user sync when Central users are synchronized with Azure AD. This process enables users at a Site to be automatically connected to their storage.
Learn how to use your OneDrive as a destination for Easy Scans here.