OneDrive API Integration Using Microsoft Graph (Step-by-Step Guide) Chintan Prajapati April 17, 2026 6 min read OneDrive API Integration Using Microsoft Entra (Graph API)This guide explains how to build an end-to-end integration with Microsoft OneDrive using the Microsoft Graph API, supporting both business (work/school) and personal (consumer) Microsoft accounts.You will learn how to register an app, configure authentication, request tokens, and call common OneDrive API endpoints.Step 1: Register an App in Microsoft EntraGo to https://entra.microsoft.com and go to Azure Active Directory > App registrations > New registration.Fill in the following: Name: OneDrive Integration Supported account types: Accounts in any organizational directory and personal Microsoft accounts Redirect URI: https://yourapp.com/callback (or http://localhost:3000 for testing)Click Register, then save the Application (client) ID and Directory (tenant) ID.Step 2: Add Redirect URIAfter registration, go to the app’s Authentication tab and add all required URIs under Redirect URIs.Important: These URIs must match exactly those used in your OAuth flow. Any mismatch will cause authentication errors.Step 3: Configure API PermissionsNavigate to API permissions > Add a permission > Microsoft Graph > Delegated:Essential Permissions User.Read: sign in and read user profile Files.ReadWrite.All: full access to user’s OneDrive and SharePoint files Sites.Read.All: access SharePoint site content offline_access: allows use of refresh tokensClick Grant admin consent for the tenant (recommended for business apps).Understanding OneDrive API Permissions (Delegated vs Application)FeatureDelegated PermissionsApplication PermissionsWho signs in?A user signs inNo user sign-in app runs as itselfWhen used?User is interacting with the app (web/mobile)Background services or daemonsData AccessAccess only the signed-in user’s dataCan access organization-wide data (with admin consent)Consent required fromThe user or an adminAn admin onlyUse case examplesUpload files to user’s OneDrive, show user’s profileDaily sync jobs, file indexing, analytics across usersCommon permission scopesFiles.ReadWrite, User.ReadFiles.Read.All, Sites.ReadWrite.All, User.Read.AllWhy Use Delegated Over Application? Some OneDrive endpoints (like /me/drive) only support delegated access If using a personal Microsoft account (@outlook.com), application permissions are not supported Delegated flow is easier to test interactively Application permissions require admin consent, which may not be available in development/testing environments.Step 4: Get Client ID and Secret for OneDrive API IntegrationGo to Certificates & secrets > New client secret. Add a name and expiration, then save the secret value immediately it will not be shown again.Collect and store securely: client_id, client_secret, tenant_id, and redirect_uri.Step 5: OneDrive API OAuth 2.0 Flow Explained (Step-by-Step)Authorization URLsContextURL TemplateBusinesshttps://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorizeConsumerhttps://login.microsoftonline.com/consumers/oauth2/v2.0/authorizeCommon (Both)https://login.microsoftonline.com/common/oauth2/v2.0/authorizeSample Authorization Request (GET)GET /oauth2/v2.0/authorize ?client_id={client_id} &response_type=code &redirect_uri={redirect_uri} &response_mode=query &scope=User.Read Files.ReadWrite.All Sites.Read.All offline_access &state=12345Exchange Code for Access TokenPOST to https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token (or use /consumers/ or /common/)Content-Type: application/x-www-form-urlencoded client_id={client_id} &scope=User.Read Files.ReadWrite.All Sites.Read.All offline_access &code={authorization_code} &redirect_uri={redirect_uri} &grant_type=authorization_code &client_secret={client_secret} It can be hard to keep track of authentication across systems when you use more than one API, especially in accounting and ERP workflows.Check out how our accounting automation solutions make this easier.Refresh Token FlowPOST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token={refresh_token} &client_id={client_id} &client_secret={client_secret} &scope=User.Read Files.ReadWrite.All Sites.Read.All offline_accessCommon OneDrive API Endpoints File and Folder OperationsAll requests must include the header: Authorization: Bearer {access_token}(Authorization for OneDrive API via Microsoft Graph, 2024)Get Root DirectoryLists items in the user’s OneDrive root.GET https://graph.microsoft.com/v1.0/me/drive/root/childrenCreate New Root FolderPOST https://graph.microsoft.com/v1.0/me/drive/root/children { "name": "New Folder", "folder": {}, "@microsoft.graph.conflictBehavior": "rename" }Create a Folder Under Another FolderPOST /me/drive/items/{parent_folder_id}/children { "name": "New Child Folder", "folder": {}, "@microsoft.graph.conflictBehavior": "rename" }Rename FolderPATCH https://graph.microsoft.com/v1.0/me/drive/items/{item-id} { "name": "New Folder Name" }Upload FileUploads a small file directly to OneDrive. Ensure content-type matches file (e.g., image/png).The request payload should be binary data of the file.PUT /me/drive/items/{parent-id}:/{filename}:/contentGet File VersionsGET /me/drive/items/{item-id}/versionsRestore Specific VersionPOST /me/drive/items/{item-id}/versions/{version-id}/restoreVersionDelete FileDELETE /me/drive/items/{item-id}Move File to Another FolderPATCH /me/drive/items/{item-id} { "parentReference": { "id": "destination-folder-id" } }Copy FileCreates a duplicate of the file in a new location. Use the Location header to monitor the async operation.POST /me/drive/items/{item-id}/copy { "parentReference": { "id": "destination-folder-id" }, "name": "new-filename.ext" }Revoke User Sessions / AccessRevokes the user’s session and refresh tokens (Azure AD accounts only).POST /me/revokeSignInSessionsNote: This endpoint works only for Work or School (Azure AD) accounts. It does not work for personal Microsoft accounts.Revoke App Consent via Portal (Manual)Users can take back their permission for your app to access their information if they no longer want to: For personal Microsoft accounts (like Outlook.com, Hotmail.com, and Live.com): https://account.live.com/consent/Manage Work/School (Azure AD) accounts: https://myaccount.microsoft.com/ → Apps and sessions.Token Expiry Note: When a user removes app access, the refresh token is immediately revoked, preventing new access tokens from being issued. However, previously issued access tokens remain valid until they expire (typically within 1 hour).If you’re looking to connect more than just storage in the cloud, you might also want to look into our custom API integration services for connecting multiple business systems.Useful Links Microsoft Graph Docs Authentication Scenarios Register Your App Common API DocsOneDrive API Integration FAQsCan I use my personal Microsoft account with the OneDrive API?Yes, but you have to use delegated permissions with the /consumers or /common OAuth endpoint. Personal accounts do not support application permissions.What do the /common, /consumers, and /organizations endpoints do that is different?The /common endpoint supports both personal and work/school accounts. Use /consumers for personal-only and /organizations for work/school-only authentication flows.How do I get a new access token after it has expired?Send a POST request to the token endpoint with grant_type=refresh_token along with your client_id, client_secret, and the stored refresh_token. The offline_access scope must have been requested initially.Why do I get a 403 error when calling OneDrive endpoints?This usually means your app lacks the required permissions. Ensure you have granted Files.ReadWrite.All and the admin consent has been granted for your tenant.