SharePoint Online Graph API / OAuth 2.0 Connections

Owned by Lindsey Byers (Deactivated)
Last updated: Jul 15, 2022 by Andrea Harvey
4 min read

What is SharePoint Online Graph API / OAuth 2.0?

SharePoint Online OAuth 2.0 connectors behave almost identically to the original SharePoint Online connections. They utilize the same API calls and require the same setup and account permissions. They just use OAuth 2.0 to authenticate with SharePoint Online and OneDrive for Business.

What is the difference between OAuth 2.0 and the original SharePoint Online connections?

There are several differences between OAuth 2.0 connections and original SharePoint Online connections.

First using the OAuth 2.0 flow for authentication allows for clients with MFA enabled to use DryvIQ to migrate their content. Also, since many customers are disabling legacy authentication this form of authentication will be the only way to connect to Office 365 platforms.

Second, Microsoft will be using our registered application id to track rate limits, this id is only visible to Microsoft when using OAuth 2.0, this may allow clients higher rate limits before getting throttled.

Third, the OAuth 2.0 connection requires a global admin to give consent the first time it is used, afterwards any user can be used to create a connection between DryvIQ and Office 365. For clients that cannot allow the permission Have full control of all your site collections, please contact us and the DryvIQ team can assist with a Custom App Registration.

Finally, these connections will utilize Microsoft's Graph API to perform native change detection on libraries. This will drastically reduce the number of calls required to check large libraries for any changes as well as reduce job execution time.

When should OAuth 2.0 connections be used?

OAuth 2.0 connections should be the preferred way to connect to SharePoint Online and OneDrive for Business going forward. Functionality is the same in all ways except in change detection. The only time it should not be used is if a client is unwilling to globally authorize our application as our application requests permissions that must be approved by a global administrator.

For clients that cannot allow the permission Have full control of all your site collections, please contact us and the DryvIQ team can assist with a Custom App Registration

Can a custom Azure Storage Account we configured?

When migrating to Office 365 and utilizing batch mode with Migration API, is there a way to specify a custom Azure Storage Account or do we just default to a temporary Storage Account until content is committed to Office 365?

No, not at this time.

DryvIQ uses the default storage account that is leveraged by the Migration API for the Office 365 tenant that you are migrating to. The CSOM call that DryvIQ makes is to provision a migration storage account and message queue will guarantee that the storage account is the storage account is in the same data center as the Office 365 tenant. This will also improve performance. 

Any content uploaded to the migration storage account will eventually be deleted after use. 

The migration storage account will not incur any additional costs

 

How do I update all my existing connections to use OAuth 2.0?

The best way to update all your existing jobs that are using Office 365 or OneDrive for Business legacy connections is to duplicate / clone the job and replace with the new connection. 

OneDrive for Business OAuth 2.0 connections assumes Documents as the root.

 

If your previous job included Documents in the locations path, you must remove it when duplicating/cloning.


How to Create an OAuth 2.0 Connection

 

Features and Limitations

Platforms all have unique features and limitations. DryvIQ’s transfer engine manages these differences between platforms and allows you to configure actions based on Job Policies and Behaviors. Utilize the Platform Comparison tool to see how your integration platforms may interact regarding features and limitations.

 

SharePoint Online OAuth 2.0 Connections must have full control of all SharePoint site collections. For clients that cannot allow the permission Have full control of all your site collections, please contact us and the DryvIQ team can assist with a Custom App Registration.

OneDrive for BusinessOAuth 2.0 Connections are automatically configured to the Documents library.

When configuring your job JSON, do not include "Documents" in the location path, such as /Documents/FolderName.

Correct configuration path: /FolderName

 

 

Files/Folders

SharePoint Online OAuth 2.0 connections have the following file/folder restrictions.  

  • Maximum file size: 100 GB

  • Maximum file name path length: 400 characters

  • Restricted characters in file/folder name include  / , | , \ , \\ , / , : , * , ? , < , >

  • Invalid folder names: _t, _w

  • Maximum number of files per folder 5000

  • OneDrive for Business does not allow the following:

    • Two consecutive periods

    • Leading or trailing periods and white spaces

    • Non-printable ASCII characters

    • For more information on OneDrive for Business, see Microsoft’s official documentation.

 

Transferring Microsoft Lists is not supported.

 

Connection Pooling

  • Connections using OAuth 2 authentication may experience bandwidth throttling from Microsoft when using connection pooling.

Impersonation 

Impersonation is not supported for SharePoint Online. Impersonation is only supported for OneDrive for Business. 

Lock Events

Graph API does not support lock event detection without the use of a separate API call, which will slow down change detection. The workaround is to disable native event detection to transfer locks in each job run or to use a soft reset to transfer locks as needed. 

Mapping

  • When creating CSV mapping files for import, the usernames must be lowercase to properly adhere to the search requirements for the connector.

Metadata Mapping

  • If a library requires specific metadata but the metadata is missing from a file being copied into the library, the file will be flagged and will not transfer on subsequent jobs runs. If you have files stuck in a flagged state due to missing metadata, you may need to manually transfer the files and add the required metadata.  

Timestamps

  • SharePoint Online Folder Created Date may experience a discrepancy in timestamps when using CSOM and Batch Mode.

    • This behavior is a known issue within OneDrive for Business / Office 365.

    • DryvIQ will attempt to preserve timestamps on folders when using both CSOM and the batch API. However, the behavior of SharePoint Online is to update the folder's modified dates whenever a file is uploaded into it.

    • As a result, when using CSOM, the timestamps will be preserved when the folder is initially created but then updated after every file that gets uploaded. When using batch API, it preserves the timestamps on the folders after all of the files within the batch are committed. This is the cause for the discrepancy between the two methods.

Version Deletes

  • Version deletes are supported. 

DryvIQ Migrate Version: 5.6.3.4210
Release Date: April 4, 2024