OneDrive

OneDrive integration gives task-runner agents read/write access to files in a user’s OneDrive. When connected, agents can list, read, create, update, and delete files and folders during task execution.

The integration uses a dedicated OneDrive MCP server that is deployed alongside Errand. The server communicates with the Microsoft Graph API using OAuth tokens managed by Errand.

Use a dedicated account

We recommend connecting a dedicated Microsoft account rather than your personal one. Errand agents will have full read/write access to all files in the connected OneDrive, including the ability to delete them. Using a separate account lets you share only the specific files and folders Errand needs, keeping the rest of your personal files out of reach.

Use Errand Cloud for Connecting

Setting up OAuth credentials for OneDrive requires a publicly accessible callback URL. If your Errand installation runs on a local network, Errand Cloud can handle the authentication flow for you — no public URL needed.

Prerequisites

• The OneDrive MCP server must be deployed (enabled by default in the Helm chart and docker-compose)
• An OAuth 2.0 app registration must be created in Microsoft Entra ID (formerly Azure AD)
• The user connecting their account must have a Microsoft account with OneDrive access

Step 1: Register an application in Microsoft Entra

1. Go to the Microsoft Entra admin center
2. Navigate to Identity > Applications > App registrations
3. Click New registration
4. Configure:
   • Name: e.g. “Errand OneDrive”
   • Supported account types: Choose based on your needs:
     • Single tenant — only users in your organization
     • Multitenant — users in any Microsoft Entra directory
     • Multitenant + personal Microsoft accounts — broadest access
   • Redirect URI: Select platform Web and enter:

     https://<your-domain>/api/integrations/onedrive/callback

     For local development:

     http://localhost:8000/api/integrations/onedrive/callback

5. Click Register

Step 2: Note the application IDs

On the app’s Overview page, note:

• Application (client) ID — this is your MICROSOFT_CLIENT_ID
• Directory (tenant) ID — this is your MICROSOFT_TENANT_ID

If you selected Multitenant or Multitenant + personal in the previous step, you can use common as the tenant ID instead of the specific directory ID.

Step 3: Create a client secret

1. Navigate to Certificates & secrets
2. Under Client secrets, click New client secret
3. Add a description (e.g. “Errand”) and choose an expiry period
4. Click Add
5. Copy the Value immediately — it is only shown once. This is your MICROSOFT_CLIENT_SECRET

Caution

The secret value is only displayed once after creation. If you lose it, you’ll need to create a new secret.

Step 4: Configure API permissions

1. Navigate to API permissions
2. Click Add a permission
3. Select Microsoft Graph > Delegated permissions
4. Add the following permissions:
   • Files.ReadWrite.All — read and write access to all files the user can access
   • offline_access — allows Errand to refresh tokens without user interaction
5. If you are an admin, click Grant admin consent for [your org] to pre-approve the permissions. Otherwise, each user will be prompted to consent during the OAuth flow.

Step 5: Configure Errand

Provide the OAuth credentials as environment variables to the Errand server.

Docker Compose

Add to your .env file:

MICROSOFT_CLIENT_ID=your-application-client-id
MICROSOFT_CLIENT_SECRET=your-client-secret-value
MICROSOFT_TENANT_ID=your-directory-tenant-id

These are already wired into the errand service in docker-compose.yml. If you used a multi-tenant configuration, you can set MICROSOFT_TENANT_ID=common.

Kubernetes (Helm)

Create a Kubernetes secret:

kubectl create secret generic errand-onedrive-oauth \
  --from-literal=MICROSOFT_CLIENT_ID="your-application-client-id" \
  --from-literal=MICROSOFT_CLIENT_SECRET="your-client-secret-value" \
  --from-literal=MICROSOFT_TENANT_ID="your-directory-tenant-id" \
  -n errand

Set the secret name in your Helm values:

onedrive:
  enabled: true
  existingSecret: errand-onedrive-oauth

Step 6: Connect your account

1. Open the Errand UI and navigate to Settings > Integrations
2. The OneDrive card should show a Connect button (if it’s greyed out, check that the environment variables are set and the MCP server is running)
3. Click Connect — you’ll be redirected to Microsoft’s sign-in page
4. Sign in and grant the requested permissions
5. You’ll be redirected back to Errand — the card should now show your connected account

How it works

Once connected:

• The worker loads your OneDrive credentials before each task execution
• If the OAuth access token has expired, the worker automatically refreshes it using the stored refresh token
• The OneDrive MCP server is injected into the task-runner’s MCP configuration with a fresh Bearer token
• The task-runner agent can use the MCP tools to interact with your OneDrive files
• Cloud storage instructions are appended to the system prompt to guide the agent

Task profile control

Cloud storage MCP servers participate in task profile filtering. If a profile specifies an mcp_servers list, the OneDrive server (onedrive) must be included for agents using that profile to access OneDrive files.

Profiles with no mcp_servers filter include all available MCP servers by default.

Disconnecting

To disconnect your OneDrive account:

1. Go to Settings > Integrations
2. Click Disconnect on the OneDrive card
3. The stored credentials are deleted from Errand

You can also revoke access from Microsoft’s side at account.microsoft.com/consent.

Client secret expiry

Microsoft Entra client secrets have an expiry date (maximum 2 years). When the secret expires:

• Existing connected users continue to work (refresh tokens don’t depend on the client secret for token refresh in some flows, but new connections will fail)
• Create a new client secret in the Entra admin center and update the MICROSOFT_CLIENT_SECRET environment variable
• No user action is needed — existing refresh tokens remain valid

Troubleshooting

Issue	Solution
Card is greyed out	Check that MICROSOFT_CLIENT_ID, MICROSOFT_CLIENT_SECRET, and ONEDRIVE_MCP_URL are all set
”Provider not configured” error on Connect	The OAuth client credentials are not set in the server’s environment
”AADSTS50011: reply URL does not match” error	The redirect URI in Entra doesn’t match exactly — check for trailing slashes and protocol (http vs https)
“Need admin approval” during consent	An admin must grant consent in the Entra portal, or the user must have permission to consent to apps
Token refresh fails after some time	The user may have revoked access or the refresh token expired — disconnect and reconnect
Agent reports auth errors during task	The access token may have expired mid-task (tasks longer than 1 hour) — this is a known limitation