Microsoft 365 Integration
Connect OneDrive and SharePoint so users can attach documents from Microsoft 365 to requirements and other entities in SecureHive. Configuration requires a per-tenant Azure AD app registration with admin consent and user assignment.
Overview
The Microsoft 365 integration uses an OAuth flow where each user connects once per tenant. Tokens are stored per user per tenant. Users can browse their OneDrive and SharePoint files and either link them (store a reference URL) or copy them into SecureHive’s document storage.
Each SecureHive tenant uses its own Azure AD app (Client ID, Client Secret). Credentials are stored in SecureHive and are not read from environment variables.
Use a dedicated Azure AD app for this integration (least privilege). Do not reuse the same app you use for SSO or other Microsoft features.
Where to configure what in Entra ID
Entra splits configuration by design. Use the right place for each step:
| Location | What to configure |
|---|---|
| App registration | Redirect URI (Web), API permissions (Microsoft Graph delegated), Client ID, Client secret — what the app is allowed to do |
| Enterprise application | User/group assignment, “User assignment required?”, visibility — who can use the app |
| Admin consent requests (under Enterprise apps → Activity) | Approve or deny user-submitted consent requests |
SecureHive setup
Navigate to integration settings
In SecureHive, go to Settings → Integrations.
Open the Microsoft 365 card
Under Documents, find the Microsoft 365 card and click Configure, then Create integration (or Add Integration).
Enter Azure AD app details
| Field | Description |
|---|---|
| Client ID | Application (client) ID from the Azure app registration |
| Client Secret | A client secret you create in the app registration |
| Azure Tenant ID | Leave blank for multi-tenant (common), or set your tenant ID to restrict sign-in to your org |
| Redirect URI | Must match the redirect URI in Azure (e.g. https://your-api.example.com/auth/m365/callback). If omitted, the platform uses M365_REDIRECT_URI or BACKEND_URL + /auth/m365/callback |
Save
One active integration per tenant is used for the Connect URL, callback, and token refresh.
Entra ID: App registration
Register the app
In Azure Portal → Microsoft Entra ID → App registrations → New registration, name it (e.g. “SecureHive O365”), choose supported account types, then Register.
Configure redirect URI
Go to Authentication → Add a platform → Web. Set the Redirect URI to your backend callback URL, e.g. https://api.securehive.ai/auth/m365/callback. This must match the value configured in SecureHive.
Add API permissions
Go to API permissions → Add permission → Microsoft Graph → Delegated and add all of the following:
| Permission | Purpose |
|---|---|
openid | Sign users in |
offline_access | Required for refresh tokens (see note below) |
Files.Read | Read user files |
Files.ReadWrite | Read and write user files |
Files.Read.All | OneDrive and Teams/SharePoint channel folders |
Sites.Read.All | SharePoint sites |
Team.ReadBasic.All | List teams the user is in (for Teams channel files) |
Channel.ReadBasic.All | List all channels in a team, including private channels |
Why offline_access is required: Microsoft only returns a refresh token when the app requests offline_access. SecureHive uses the refresh token to obtain new access tokens when the current one expires (typically after about one hour), so users don’t have to sign in again each time. Without it, the Connect flow will fail with “Missing access_token or refresh_token in token response.” In the Azure portal, this permission may appear as “Access and manage user data any time.”
Create a client secret
Go to Certificates & secrets → New client secret. Copy the secret value and paste it into SecureHive’s integration form. The client secret is encrypted at rest in SecureHive.
Copy the Client ID
Copy the Application (client) ID and paste it into SecureHive as the Client ID.
Entra ID: Enterprise application
When you register an app, an Enterprise application (service principal) is created in your tenant. Go to Microsoft Entra ID → Enterprise applications and find your app (e.g. “SecureHive O365”).
Users and groups: Assign the users (or groups) who are allowed to use the app. If “User assignment required?” is Yes, only assigned users can complete Connect Microsoft 365.
Properties: Set User assignment required? to No if you want any signed-in user to use the app (once admin consent is granted). Set Visible to users? to Yes if you want the app to appear in My Apps.
Granting admin consent
So that users are not prompted to “Request approval” for the app’s permissions, an admin must grant consent for the organization.
- In Enterprise applications, open your app → Permissions (under Security)
- Confirm the Microsoft Graph delegated permissions are listed, including
openid,offline_access,Files.Read,Files.ReadWrite, andSites.Read.All - Click Grant admin consent for [Your organization] and confirm when prompted
After this, the app is pre-approved for your tenant. Users may still see “Approval required” if your tenant requires user assignment and they are not assigned, or if your consent settings require reviewing admin consent requests.
Reviewing admin consent requests
When users see “Approval required” and click “Request approval” with a justification, their request appears in the Entra admin center. You must be signed in as at least a Cloud Application Administrator (or a designated reviewer) to act on these requests.
Navigate to consent requests
Sign in to the Microsoft Entra admin center. Go to Identity → Applications → Enterprise apps. Under Activity, select Admin consent requests.
Review pending requests
Open the My Pending tab and select the application being requested (e.g. “SecureHive O365”). Review the requested permissions (Review permissions and consent), app details (App details tab), and who requested and why (Requested by tab).
Take action
Approve — Grants admin consent; all requestors are notified and can use the app (unless restricted by user assignment).
Deny — Provide a justification; requestors are notified. They can request again later.
Block — Provide a justification; creates a disabled service principal so users cannot request consent for this app in the future.
Usage in SecureHive
Connecting Microsoft 365: Users connect in User Settings → Integrations tab. They click Connect Microsoft 365 and are redirected to Microsoft to sign in and consent. After success, they are redirected back to SecureHive.
Adding files from OneDrive / SharePoint: In attachment areas (e.g. project requirements), the Add from OneDrive button is always shown. If the user is not connected, the button is disabled with a tooltip directing them to User Settings → Integrations. Once connected, users can Link a file (store the Microsoft 365 URL as a reference) or Copy to SecureHive (download and store the file in your tenant’s document storage).
Troubleshooting
“Missing access_token or refresh_token in token response” — The app must request the offline_access scope. In the Azure app registration, go to API permissions → Add permission → Microsoft Graph → Delegated and add offline_access. Grant admin consent, then have the user try Connect again.
“Redirect URI not configured” — Set the Redirect URI in the Microsoft 365 integration in SecureHive (Settings → Integrations → Microsoft 365 → Edit), or set M365_REDIRECT_URI or BACKEND_URL in the backend environment. The value must exactly match the Web redirect URI in the Azure app registration.
“Approval required” / “Request approval” screen — The tenant requires admin consent and/or user assignment. Grant admin consent for the app (Enterprise application → Permissions → Grant admin consent). Assign users in Users and groups, or set User assignment required? to No. If users have already submitted requests, approve them under Enterprise apps → Activity → Admin consent requests → My Pending.
“Microsoft 365 connection was cancelled or not approved” — The user left the Microsoft consent screen before completing the flow. They should try again and complete sign-in/consent. If the app is not yet approved, an admin must grant consent or approve the admin consent request.
Redirect goes to root domain instead of tenant — Ensure FRONTEND_URL is set correctly (e.g. https://securehive.ai or http://localhost:3000). Tenant URLs are derived as https://<subdomain>.securehive.ai or http://<subdomain>.localhost:3000.