Authorization

When you add a OneDrive card to a flow for the first time, Okta prompts you to configure the connection. This helps you to connect your OneDrive account, save your account information, and reuse the connection for future OneDrive flows.

Create a connection using a OneDrive admin account or a OneDrive user account. Okta recommends that you use a OneDrive admin account when creating a connection for the first time.

Make sure that you have enabled supported scopes. See Guidance for OneDrive connector.

Applications

For your convenience, Okta has created OneDrive OAuth applications:

  • OneDrive for Okta Workflows, for connections to Okta Workflows production orgs

  • OneDrive for Okta Preview, for connections to Okta Workflows preview orgs

When you create a OneDrive connection in Okta Workflows, Okta automatically creates this app as a service principal object in your Azure tenant.

The object in your Azure tenant references a registered application object from the Okta Azure tenant. There's no additional configuration required on these service principal objects.

Office 365 GCC High tenants

Okta Workflows in Okta for Government High only supports connections using accounts from Office 365 GCC High tenants.

Create a connection with an OneDrive admin account

  1. Click New Connection.

  2. Enter a Connection Nickname. This is useful if you plan to create multiple OneDrive connections to share with your team.

  3. Click Create.

  4. Log in to your OneDrive account to authorize the connection.

  5. Select one of the following options:

    • As an admin you don't want regular users to create connections. Click Accept and make sure that the Consent on behalf of your organization option isn't selected.

    • As an admin you want regular users also able to create connections. Click Accept and make sure that the Consent on behalf of your organization option is selected. All user accounts in your organization can create connections on their own.

Create a connection with an OneDrive user account

  1. Click New Connection.

  2. Enter a Connection Nickname. This is useful if you plan to create multiple OneDrive connections to share with your team.

  3. Click Create.

  4. Log in to your OneDrive account to authorize the connection.

  5. Select one of the following options:

  6. Click Accept.

Admin app approval

Admins can grant Okta app access to regular user accounts.

If an admin forgets to select the Consent on behalf of your organization option and then clicks Accept when configuring a connection, the authorization page might not display using the same admin account. This occurs because the Okta app authorized the connection and is remembered by the system.

The following information provides other ways for an admin to grant Okta app access to regular user accounts.

Consent for all apps

You can allow user consent for all apps, or for apps from verified publishers, for selected permissions. Configure permissions as Global Admin only. See Configure how users consent to applications.

  1. In your Azure Portal, go to Azure Active DirectoryEnterprise applicationsConsent and permissionsUser consent settings.

  2. Select one of the following permissions options:

    • Allow user consent for apps: This is a less secure option.

    • Allow user consent for apps from verified publishers: This option is more secure. Configure the permissions as low impact. See Guidance for OneDrive connector.

  3. From Enterprise applications, go to the Admin consent requests page to review and grant access.

Grant tenant-wide admin consent

This process grants tenant-wide admin consent for an Okta app only if your admin account (or any other admin accounts) authorizes the Okta app. See Grant tenant-wide admin consent to an application.

  1. In your Azure Portal, go to Azure Active DirectoryEnterprise applications.

  2. Select one of the following Okta apps:

    • OneDrive for Okta Workflows

    • OneDrive for Okta Preview

  3. Select PermissionsGrant admin consent. This grants consent to the Okta app to all regular user accounts in your organization.

Enable the admin consent workflow

This option enables regular users to request access to applications that require admin consent. Users can't directly create connections until an admin approves the request. Configure permissions as Global Admin only. See Configure the admin consent workflow.

  1. In your Azure Portal, go to Azure Active DirectoryEnterprise applications.

  2. Under Manage, select User settings.

  3. Under Admin consent requestsUsers can request admin consent to apps they are unable to consent to, select Yes. See Configure the admin consent workflow.

  4. From Enterprise applications, go to the Admin consent requests page to review and grant access.

Prohibit users from creating connections

You can also remove previously granted admin consent by deleting the Okta app in Enterprise applications and then reauthorizing it. When you delete the app, it revokes the admin consent tenant-wide. Revoking individual user consent isn't allowed.

All existing connections stop working after one hour. For previously configured admin connections that you want to keep active, manually reauthorize them and use the consent process to avoid connection failure.

  1. In your Azure Portal, select Azure Active DirectoryEnterprise applications.

  2. Select one of the following Okta apps:

    • OneDrive for Okta Workflows

    • OneDrive for Okta Preview

  3. Select Delete.

Admin consents previously granted are revoked and regular users can't create connections until admin consent is granted.

Reauthorize a connection

If you've used your account to create a connection successfully, you can use this account to create multiple connections.

If you've already created connections, you can reauthorize these connections if the admin hasn't made any configuration changes.

Related topics

OneDrive connector

Workflow elements

Guidance for OneDrive connector

Microsoft Graph API documentation