7.6 KiB
How to configure access to specific Microsoft Azure deployments
Application Version
Before reading this document, please ensure you are running application version 
onedrive --version to determine what application version you are using and upgrade your client if required.
Process Overview
In some cases it is a requirement to utilise specific Microsoft Azure cloud deployments to conform with data and security reuqirements that requires data to reside within the geographic borders of that country. Current national clouds that are supported are:
- Microsoft Cloud for US Government
- Microsoft Cloud Germany
- Azure and Office365 operated by 21Vianet in China
In order to successfully use these specific Microsoft Azure deployments, the following steps are required:
- Register an application with the Microsoft identity platform using the Azure portal
- Configure the new application with the appropriate authentication scopes
- Validate that the authentication / redirect URI is correct for your application registration
- Configure the onedrive client to use the new application id as provided during application registration
- Configure the onedrive client to use the right Microsoft Azure deployment region that your application was registered with
- Authenticate the client
Step 1: Register a new application with Microsoft Azure
- Log into your applicable Microsoft Azure Portal with your applicable Office365 identity:
| National Cloud Environment | Microsoft Azure Portal |
|---|---|
| Microsoft Cloud for US Government | https://portal.azure.com/ |
| Microsoft Cloud Germany | https://portal.azure.com/ |
| Azure and Office365 operated by 21Vianet | https://portal.azure.cn/ |
- Select 'Azure Active Directory' as the service you wish to configure
- Under 'Manage', select 'App registrations' to register a new application
- Click 'New registration'
- Type in the appropriate details required as per below:
- To save the application registration, click 'Register' and something similar to the following will be displayed:
Note: The Application (client) ID UUID as displayed after client registration, is what is required as the 'application_id' for Step 4 below.
Step 2: Configure application authentication scopes
Configure the API permissions as per the following:
| API / Permissions name | Type | Description | Admin consent required |
|---|---|---|---|
| Files.ReadWrite | Delegated | Have full access to user files | No |
| Files.ReadWrite.All | Delegated | Have full access to all files user can access | No |
| Sites.ReadWrite.All | Delegated | Have full access to all items in all site collections | No |
| offline_access | Delegated | Maintain access to data you have given it access to | No |
Step 3: Validate that the authentication / redirect URI is correct
Add the appropriate redirect URI for your Azure deployment:
A valid entry for the response URI should be one of:
- https://login.microsoftonline.us/common/oauth2/nativeclient (Microsoft Cloud for US Government)
- https://login.microsoftonline.de/common/oauth2/nativeclient (Microsoft Cloud Germany)
- https://login.chinacloudapi.cn/common/oauth2/nativeclient (Azure and Office365 operated by 21Vianet in China)
For a single-tenant application, it may be necessary to use your specific tenant id instead of "common":
- https://login.microsoftonline.us/example.onmicrosoft.us/oauth2/nativeclient (Microsoft Cloud for US Government)
- https://login.microsoftonline.de/example.onmicrosoft.de/oauth2/nativeclient (Microsoft Cloud Germany)
- https://login.chinacloudapi.cn/example.onmicrosoft.cn/oauth2/nativeclient (Azure and Office365 operated by 21Vianet in China)
Step 4: Configure the onedrive client to use new application registration
Update to your 'onedrive' configuration file (~/.config/onedrive/config) the following:
application_id = "insert valid entry here"
This will reconfigure the client to use the new application registration you have created.
Example:
application_id = "22c49a0d-d21c-4792-aed1-8f163c982546"
Step 5: Configure the onedrive client to use the specific Microsoft Azure deployment
Update to your 'onedrive' configuration file (~/.config/onedrive/config) the following:
azure_ad_endpoint = "insert valid entry here"
Valid entries are:
- USL4 (Microsoft Cloud for US Government)
- USL5 (Microsoft Cloud for US Government - DOD)
- DE (Microsoft Cloud Germany)
- CN (Azure and Office365 operated by 21Vianet in China)
This will configure your client to use the correct Azure AD and Graph endpoints as per https://docs.microsoft.com/en-us/graph/deployments
Example:
azure_ad_endpoint = "USL4"
If the Microsoft Azure deployment does not support multi-tenant applications, update to your 'onedrive' configuration file (~/.config/onedrive/config) the following:
azure_tenant_id = "insert valid entry here"
This will configure your client to use the specified tenant id in its Azure AD and Graph endpoint URIs, instead of "common". The tenant id may be the GUID Directory ID (formatted "00000000-0000-0000-0000-000000000000"), or the fully qualified tenant name (e.g. "example.onmicrosoft.us"). The GUID Directory ID may be located in the Azure administation page as per https://docs.microsoft.com/en-us/onedrive/find-your-office-365-tenant-id. Note that you may need to go to your national-deployment-specific administration page, rather than following the links within that document. The tenant name may be obtained by following the PowerShell instructions on https://docs.microsoft.com/en-us/onedrive/find-your-office-365-tenant-id; it is shown as the "TenantDomain" upon completion of the "Connect-AzureAD" command.
Example:
azure_tenant_id = "example.onmicrosoft.us"
# or
azure_tenant_id = "0c4be462-a1ab-499b-99e0-da08ce52a2cc"
Step 6: Authenticate the client
Run the application without any additional command switches.
You will be asked to open a specific URL by using your web browser where you will have to login into your Microsoft Account and give the application the permission to access your files. After giving permission to the application, you will be redirected to a blank page. Copy the URI of the blank page into the application.
[user@hostname ~]$ onedrive
Authorize this app visiting:
https://.....
Enter the response uri:
Example:
[user@hostname ~]$ onedrive
Authorize this app visiting:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=22c49a0d-d21c-4792-aed1-8f163c982546&scope=Files.ReadWrite%20Files.ReadWrite.all%20Sites.ReadWrite.All%20offline_access&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
Enter the response uri: https://login.microsoftonline.com/common/oauth2/nativeclient?code=<redacted>
Application has been successfully authorised, however no additional command switches were provided.
Please use --help for further assistance in regards to running this application.