# Connecting Microsoft OneDrive to Amazon Q Business Microsoft OneDrive Microsoft OneDrive is a cloud-based storage service that you can use to store, share, and host your content. You can connect Microsoft OneDrive instance to Amazon Q Business—using either the AWS Management Console or the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) API—and create an Amazon Q web experience. After you integrate Amazon Q with Microsoft OneDrive, users can ask questions about content stored in their OneDrive repositories. For example, users can inquire about project timelines in Excel spreadsheets, key findings from Word documents, presentation highlights from PowerPoint files, or search for specific information across multiple document types. The integration enables users to quickly access and understand information from their OneDrive content, regardless of file location or type, while providing contextual details such as publication dates, modification history, and document ownership—all contributing to more efficient information discovery and better-informed decision making. **Topics** + [ # Connecting Microsoft OneDrive to Amazon Q Business (New) ](onedrive-new-connector.md) + [ # Connecting Microsoft OneDrive to Amazon Q Business (Original) ](onedrive-original-connector.md) **Learn more** + For an overview of the Amazon Q web experience creation process using IAM Identity Center, see [Configuring an application using IAM Identity Center](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application.html). + For an overview of the Amazon Q web experience creation process using AWS Identity and Access Management, see [Configuring an application using IAM](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application-iam.html). + For an overview of connector features, see [Data source connector concepts](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html). + For information about connector configuration best practices, see [Connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html). # Connecting Microsoft OneDrive to Amazon Q Business (New) Microsoft OneDrive New **Note** **Enhanced Version:** With the new connector, you can refresh your index significantly faster than before, control the sync scope using a date filter, automatically discover and index content for all users within your Microsoft tenant, and enable Q&A capabilities for audio and video files stored in OneDrive. ## Limitations The Microsoft OneDrive new connector has the following known limitations: + No support for syncing OneNote files + Custom field mappings are not supported + VPC configuration is not supported + Document enrichment is not supported + OneDrive API throttling limits are determined by your organization's Microsoft 365 license count and are applied at the application level within a tenant (see [this Microsoft documentation](https://learn.microsoft.com/en-us/sharepoint/dev/general-development/how-to-avoid-getting-throttled-or-blocked-in-sharepoint-online#application-throttling)). These limits affect how many documents can be synced in a day, with further restrictions when Access Control Lists (ACLs) are involved. For example, in organizations with fewer than 1000 licenses, the connector can sync up to 1.2 million documents per day without ACLs. However, when syncing with ACLs, this limit is reduced to approximately 200,000 documents per day since ACLs require 5 additional resource units. If the sync job exceeds these limits, the OneDrive connector automatically pauses and resumes the following day to sync the remaining documents. # Overview The following table gives an overview of the Amazon Q Business Microsoft OneDrive new connector and its supported features. **** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/onedrive-new-overview.html) # Prerequisites Before you begin, make sure that you have completed the following prerequisites. **In your Azure Active Directory (AD) application, make sure you have:** + Created an Azure Active Directory (AD) application. + Used the AD application ID to register a secret key for the application on the AD site. The secret key must contain the client ID and client secret. + Copied the AD domain of the organization. + Added the following Application API permissions to your AD application on the Microsoft Graph option: + Read files in all site collections (`Files.Read.All`) + Read all users' full profiles (`User.Read.All`) + Read all groups (`Group.Read.All`) **Note** Choose the Application permissions type instead of Delegated permissions while adding the API permissions. **In your AWS account, make sure you have:** + Created a Amazon Q Business application. + Created a [Amazon Q Business retriever and added an index](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/select-retriever.html). + Created an [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds) for your data source and, if using the Amazon Q API, noted the ARN of the IAM role. + Stored your Microsoft OneDrive authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret. **Note** If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console. For a list of things to consider while configuring your data source, see [ Data source connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html). # Using the console The following procedure outlines how to connect Amazon Q Business to Microsoft OneDrive using the new connector with the AWS Management Console. **Connecting Amazon Q to Microsoft OneDrive new connector** 1. Sign in to the AWS Management Console and open the Amazon Q Business console. 1. From the left navigation menu, choose **Data sources**. 1. From the **Data sources** page, choose **Add data source**. 1. Then, on the **Add data sources** page, from **Data sources**, add the **Microsoft OneDrive** data source to your Amazon Q application. 1. Then, on the **Microsoft OneDrive** data source page, enter the following information: 1. In **Source**, enter the following information: + **OneDrive Tenant ID** Enter your OneDrive Tenant ID without the protocol. You can find your OneDrive Tenant ID under Directory ID in the Microsoft Entra ID (formerly Azure AD) admin center. 1. **Authorization** – Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. If supported for your connector, you can manage ACLs by selecting ** Enable ACLs ** to enable ACLs or **Disable ACLs** to disable them. To manage ACLs, you need specific IAM permissions. See [Grant permission to create data sources with ACLs disabled](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/setting-up.html#DisableAclOnDataSource) for more details. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details. 1. In **Authentication** – Choose between **New** and **Existing**. 1. If you choose **Existing**, select an existing secret for **Select secret**. If you choose **New**, enter the following information in the **New AWS Secrets Manager secret** section: 1. **Secret name** – A name for your secret. 1. For **Client ID** and **Client secret** – Enter the authentication credential values from your OneDrive account and then choose **Save authentication**. 1. **IAM role** – Choose an existing IAM role or create an IAM role to access your repository credentials and index content. **Note** IAM roles used for applications can't be used for data sources. If you are unsure if an existing role is used for an application, choose **Create a new role** to avoid errors. 1. In **Sync scope**, configure which OneDrive users and content to sync: 1. **Select OneDrive users** – Choose how to specify which users' content to sync: + **All users** – Select this option to sync content for all users in the organization. This allows comprehensive content discovery across all user accounts. + **Users from a user name file** – Choose this option to specify users via a file stored in an Amazon S3 bucket. Select the location of the user name file by choosing **Browse**. **Note** If you choose this option, the IAM role for the data source must have read permissions for the Amazon S3 bucket where the file is stored. + **Specific users** – Choose this option to manually specify individual users. You can add a maximum of 10 users using this option. To add more than 10 users, create a file containing the usernames and choose **Users from a user name file**. 1. **Maximum single file size** – Set the maximum file size for crawling. During this ingestion, there are file size limits depending on the file type. Video files have a limit of up to 10 GB/10,240 MB. Audio files have a 2 GB/2,048 MB limit. PDF/Word/Powerpoint documents have a 500 MB limit. Excel and other supported file formats have a 50 MB limit. There are also limits to the amount of text extracted from these documents. CSV and Excel have a extracted text limit of 10MB, all other document formats have a limit of 30MB of extracted text. 1. **Additional configuration - *optional*** – All content will be indexed by default. However, you can also limit the scope with these additional options: 1. **Date filter** – Add a date range to filter content based on the last modified date: + **Start date** – Filter content modified after this date (YYYY/MM/DD format) + **End date - optional** – Filter content modified before this date (YYYY/MM/DD format) 1. **Filter patterns** – Add file path patterns to include or exclude certain folders and files from OneDrive: + **Include patterns** – Specify file paths to include in the sync. Enter the path pattern and choose **Add**. + **Exclude patterns** – Specify file paths to exclude from the sync. Enter the path pattern and choose **Add**. You can identify the path of a folder or file by following these instructions by (within OneDrive), navigating to the file or folder for which you want to apply a filte and clicking on the three-dot menu button next to the file/folder name and selecting "Details." In the following details panel, scroll down to the "Path" details and click on the "Copy" button next to the path. For shared folders and files, first click on “Open location” in the menu adjacent to the file or the folder name, and then follow the above directions. 1. **Multi-media content configuration – optional** – To enable content extraction from embedded images and visuals in documents, choose **Visual content in documents**. For more information, see [Extracting semantic meaning from embedded images and visuals](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/extracting-meaning-from-images.html). To extract audio transcriptions and video content, enable **Audio Files**. To extract video content, enable **Video files**. For more information, see [Extracting semantic meaning from audio and video Content](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/Audio-video-extraction.html). 1. **Advanced settings** **Document deletion safeguard** - *optional*–To safeguard your documents from deletion during a sync job, select **On** and enter an integer between 0 - 100. If the percentage of documents to be deleted in your sync job exceeds the percentage you selected, the delete phase will be skipped and no documents from this data source will be deleted from your index. For more information, see [Document deletion safeguard](connector-concepts.md#document-deletion-safeguard). 1. In **Sync run schedule**, for **Frequency** – Choose how often Amazon Q will sync with your data source. For more details, see [Sync run schedule](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-run). To learn how to start a data sync job, see [Starting data source connector sync jobs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/supported-datasource-actions.html#start-datasource-sync-jobs). 1. **Tags - *optional*** – Add tags to search and filter your resources or track your AWS costs. See [Tags](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tagging.html) for more details. 1. In **Data source details**, choose **Sync now** to allow Amazon Q to begin syncing (crawling and ingesting) data from your data source. When the sync job finishes, your data source is ready to use. **Note** View CloudWatch logs for your data source sync job by selecting **View CloudWatch logs**. If you encounter a `Resource not found exception` error, wait and try again as logs may not be available immediately. You can also view a detailed document-level report by selecting **View Report**. This report shows the status of each document during the crawl, sync, and index stages, including any errors. If the report is empty for an in-progress job, check back later as data is emitted to the report as events occur during the sync process. For more information, see [Troubleshooting data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/troubleshooting-data-sources.html#troubleshooting-data-sources-not-indexed). # Connecting Amazon Q Business to Microsoft OneDrive using APIs Using the API You use the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) action to connect a data source to your Amazon Q application. You can also use the [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) action to modify an existing data source configuration. Then, you use the `configuration` parameter to provide a JSON blob that conforms the AWS-defined JSON schema. For an example of the API request, see [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) and [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) in the Amazon Q API Reference. ## Microsoft OneDrive JSON schema The following is the Microsoft OneDrive JSON schema for OneDrive: ``` { "$schema": "http://json-schema.org/draft-04/schema#", "type": "object", "properties": { "version": { "type": "string", "pattern": "2.0.0" }, "type": { "type": "string", "enum": [ "ONEDRIVEV3" ] }, "connectionConfiguration": { "type": "object", "properties": { "secretArn": { "type": "string", "pattern": "^arn:[a-z0-9-\\.]{1,63}:[a-z0-9-\\.]{0,63}:[a-z0-9-\\.]{0,63}:[a-z0-9-\\.]{0,63}:[^/].{0,1023}$" }, "tenantId": { "type": "string", "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "minLength": 36, "maxLength": 36 }, "authType": { "type": "string", "enum": [ "ENTRA_APP_ID", "OAUTH2" ] } }, "required": [ "secretArn", "tenantId", "authType" ] }, "dataEntityConfiguration": { "type": "object", "properties": { "crawlPersonalDrives": { "type": "boolean" } } }, "filterConfiguration": { "type": "object", "properties": { "exclusionUserEmailAddresses": { "type": "array", "maxItems": 100, "items": { "type": "string", "minLength": 1, "maxLength": 1024 } }, "inclusionUserEmailAddresses": { "type": "array", "maxItems": 100, "items": { "type": "string", "minLength": 1, "maxLength": 1024 } }, "userFilterPath": { "type": "string", "pattern": "^s3:\\/\\/[a-z0-9][\\.\\-a-z0-9]{1,61}[a-z0-9]\\/.*$" }, "exclusionDriveItems": { "type": "array", "maxItems": 100, "items": { "type": "string", "minLength": 1, "maxLength": 1024 } }, "inclusionDriveItems": { "type": "array", "maxItems": 100, "items": { "type": "string", "minLength": 1, "maxLength": 1024 } }, "absoluteDateBefore": { "type": "string", "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+)?(?:Z|[+-]\\d{2}:\\d{2})$" }, "absoluteDateAfter": { "type": "string", "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+)?(?:Z|[+-]\\d{2}:\\d{2})$" }, "maxFileSizeInMegaBytes": { "type": "string", "pattern": "^\\d+$" } } }, "deletionProtectionConfiguration": { "type": "object", "properties": { "enableDeletionProtection": { "type": "boolean" }, "deletionProtectionThreshold": { "type": "string", "pattern": "^(100|[1-9][0-9]?)$" } } }, "crawlIdentities": { "type": "boolean" }, "accessControlConfiguration": { "type": "object", "properties": { "crawlAcls": { "type": "boolean" } } } }, "required": [ "connectionConfiguration", "dataEntityConfiguration", "type" ] } ``` The following table provides information about important JSON keys to configure for OneDrive (New). | Configuration | Description | | --- | --- | | accessControlConfiguration | Configuration for access control: crawlAcls: Boolean flag to enable/disable crawling of access control lists. Specify true to crawl access control information from documents. Amazon Q crawls ACL information by default to ensure responses are generated only from documents your end users have access to. | | crawlIdentities | Boolean flag to enable/disable crawling of identity information. true to activate identity crawler. Identity crawler is activated by default. Crawling identity information on users and groups with access to specific documents is useful for user context filtering. Search results are filtered based on the user or their group access to documents. | | deletionProtectionConfiguration | Configuration for deletion protection: enableDeletionProtection: Boolean flag to enable/disable deletion protection. deletionProtectionThreshold: Threshold percentage (1-100) for deletion protection. | | filterConfiguration | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/onedrive-v2-api.html) | | dataEntityConfiguration | Configuration for what content to crawl: crawlPersonalDrives: Boolean flag to enable/disable crawling of personal drives. | | connectionConfiguration | Configuration information for connecting to OneDrive: secretArn: The Amazon Resource Name (ARN) of an AWS Secrets Manager secret that contains authentication credentials. The secret must contain a JSON structure with the following keys: \$1"clientID": "OAuth Client ID", "clientSecret": "client secret"\$1. tenantId: The tenant ID in UUID format. authType: Authentication type, either "ENTRA\$1APP\$1ID" or "OAUTH2". | | type | The type of data source. Specify ONEDRIVEV3 as your data source type. | | version | The version of this template. Currently supported version is "2.0.0". | # Connecting Amazon Q Business to Microsoft OneDrive using AWS CloudFormation Using AWS CloudFormation You use the [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html) resource to connect a data source to your Amazon Q application. Use the [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html#cfn-qbusiness-datasource-applicationid](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html#cfn-qbusiness-datasource-applicationid) property to provide a JSON or YAML schema with the necessary configuration details specific to your data source connector. To learn more about AWS CloudFormation, see [What is AWS CloudFormation?](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) in the *CloudFormation User Guide*. **Topics** + [ ## Microsoft OneDrive JSON schema for using the configuration property with AWS CloudFormation ](#onedrive-v2-cfn-json) + [ ## Microsoft OneDrive YAML schema for using the configuration property with AWS CloudFormation ](#onedrive-v2-cfn-yaml) ## Microsoft OneDrive JSON schema for using the configuration property with AWS CloudFormation Microsoft OneDrive JSON schema The following is the Microsoft OneDrive JSON schema and examples for the configuration property for AWS CloudFormation. **Topics** + [ ### Microsoft OneDrive JSON schema for using the configuration property with AWS CloudFormation ](#onedrive-v2-cfn-json-schema) + [ ### Microsoft OneDrive JSON schema example for using the configuration property with AWS CloudFormation ](#onedrive-v2-cfn-json-example) ### Microsoft OneDrive JSON schema for using the configuration property with AWS CloudFormation Microsoft OneDrive JSON schema The following is the Microsoft OneDrive JSON schema for the configuration property for CloudFormation. ``` { "type": "object", "properties": { "version": { "type": "string" }, "type": { "type": "string", "enum": ["ONEDRIVEV3"] }, "connectionConfiguration": { "type": "object", "properties": { "secretArn": { "type": "string", "minLength": 20, "maxLength": 2048 }, "tenantId": { "type": "string", "minLength": 36, "maxLength": 36 }, "authType": { "type": "string", "enum": ["OAUTH2"] } }, "required": ["secretArn", "tenantId", "authType"] }, "dataEntityConfiguration": { "type": "object", "properties": { "crawlPersonalDrives": { "anyOf": [{ "type": "boolean" }, { "type": "string", "enum": ["true", "false"] } ] } } }, "filterConfiguration": { "type": "object", "properties": { "inclusionUserEmailAddresses": { "type": "array", "maxItems": 100, "items": { "type": "string", "minLength": 1, "maxLength": 1024 } }, "userFilterPath": { "type": "string", "minLength": 1, "maxLength": 1024 }, "exclusionDriveItems": { "type": "array", "maxItems": 100, "items": { "type": "string", "minLength": 1, "maxLength": 1024 } }, "inclusionDriveItems": { "type": "array", "maxItems": 100, "items": { "type": "string", "minLength": 1, "maxLength": 1024 } }, "absoluteDateBefore": { "type": "string", "description": "ISO 8601 date-time format (e.g., 2024-12-31T23:59:59Z)" }, "absoluteDateAfter": { "type": "string", "description": "ISO 8601 date-time format (e.g., 2024-12-31T23:59:59Z)" }, "maxFileSizeInMegaBytes": { "type": "string" } } }, "deletionProtectionConfiguration": { "type": "object", "properties": { "enableDeletionProtection": { "anyOf": [{ "type": "boolean" }, { "type": "string", "enum": ["true", "false"] } ] }, "deletionProtectionThreshold": { "type": "string", "description": "percentage value of range (0-100)" } } }, "crawlIdentities": { "anyOf": [{ "type": "boolean" }, { "type": "string", "enum": ["true", "false"] } ] }, "accessControlConfiguration": { "type": "object", "properties": { "crawlAcl": { "anyOf": [{ "type": "boolean" }, { "type": "string", "enum": ["true", "false"] } ] } } }, "identityLoggingStatus": { "type": "string", "enum": ["ENABLED", "DISABLED"] }, }, "required": ["connectionConfiguration", "dataEntityConfiguration", "type"] } ``` ### Microsoft OneDrive JSON schema example for using the configuration property with AWS CloudFormation Microsoft OneDrive JSON schema example The following is the Microsoft OneDrive JSON example for the Configuration property for CloudFormation. ``` { "type": "ONEDRIVEV3", "crawlIdentities": false, "connectionConfiguration": { "secretArn": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-one-drive-secret", "tenantId": "1234a12c-1234-1234-1abc-1234ab12a12a", "authType": "OAUTH2" }, "dataEntityConfiguration": { "crawlPersonalDrives": true }, "accessControlConfiguration": { "crawlAcl": false }, "filterConfiguration": { "inclusionUserEmailAddresses": ["user123@amazon.com"], "maxFileSizeInMegaBytes": "50", "exclusionDriveItems": ["path/to/folder1","path/to/file1"], "inclusionDriveItems": ["path/to/folder2","path/to/file2"], "userFilterPath": "s3://bucket/prefix/object.txt", "absoluteDateBefore": "2025-08-02T00:00:00Z", "absoluteDateAfter": "2025-08-01T00:00:00Z" }, "deletionProtectionConfiguration": { "enableDeletionProtection": true, "deletionProtectionThreshold": "10" }, "version": "3.0.0", "identityLoggingStatus": "DISABLED" } ``` ## Microsoft OneDrive YAML schema for using the configuration property with AWS CloudFormation Microsoft OneDrive YAML schema The following is the Microsoft OneDrive YAML schema and examples for the configuration property for AWS CloudFormation: **Topics** + [ ### Microsoft OneDrive YAML schema for using the configuration property with AWS CloudFormation ](#onedrive-v2-cfn-yaml-schema) + [ ### Microsoft OneDrive YAML schema example for using the configuration property with AWS CloudFormation ](#onedrive-v2-cfn-yaml-example) ### Microsoft OneDrive YAML schema for using the configuration property with AWS CloudFormation Microsoft OneDrive YAML schema The following is the Microsoft OneDrive YAML schema for the configuration property for CloudFormation. ``` configuration: type: object properties: version: type: string type: type: string enum: - ONEDRIVEV3 connectionConfiguration: type: object properties: secretArn: type: string minLength: 20 maxLength: 2048 tenantId: type: string minLength: 36 maxLength: 36 authType: type: string enum: - OAUTH2 required: - secretArn - tenantId - authType dataEntityConfiguration: type: object properties: crawlPersonalDrives: anyOf: - type: boolean - type: string enum: - 'true' - 'false' filterConfiguration: type: object properties: inclusionUserEmailAddresses: type: array maxItems: 100 items: type: string minLength: 1 maxLength: 1024 userFilterPath: type: string minLength: 1 maxLength: 1024 exclusionDriveItems: type: array maxItems: 100 items: type: string minLength: 1 maxLength: 1024 inclusionDriveItems: type: array maxItems: 100 items: type: string minLength: 1 maxLength: 1024 absoluteDateBefore: type: string description: 'ISO 8601 date-time format (e.g., 2024-12-31T23:59:59Z)' absoluteDateAfter: type: string description: 'ISO 8601 date-time format (e.g., 2024-12-31T23:59:59Z)' maxFileSizeInMegaBytes: type: string deletionProtectionConfiguration: type: object properties: enableDeletionProtection: anyOf: - type: boolean - type: string enum: - 'true' - 'false' deletionProtectionThreshold: type: string description: 'percentage value of range (0-100)' crawlIdentities: anyOf: - type: boolean - type: string enum: - 'true' - 'false' accessControlConfiguration: type: object properties: crawlAcl: anyOf: - type: boolean - type: string enum: - 'true' - 'false' identityLoggingStatus: type: string enum: - ENABLED - DISABLED required: - connectionConfiguration - dataEntityConfiguration - type ``` ### Microsoft OneDrive YAML schema example for using the configuration property with AWS CloudFormation Microsoft OneDrive YAML schema example The following is the Microsoft OneDrive YAML example for the Configuration property for CloudFormation: ``` configuration: type: ONEDRIVEV3 crawlIdentities: false connectionConfiguration: secretArn: 'arn:aws:secretsmanager:us-west-2:123456789012:secret:my-one-drive-secret' tenantId: '1234a12c-1234-1234-1abc-1234ab12a12a' authType: OAUTH2 dataEntityConfiguration: crawlPersonalDrives: true accessControlConfiguration: crawlAcl: false filterConfiguration: inclusionUserEmailAddresses: - 'user123@amazon.com' maxFileSizeInMegaBytes: '50' exclusionDriveItems: - 'path/to/folder1' - 'path/to/file1' inclusionDriveItems: - 'path/to/folder2' - 'path/to/file2' userFilterPath: 's3://bucket/prefix/object.txt' absoluteDateBefore: '2025-08-02T00:00:00Z' absoluteDateAfter: '2025-08-01T00:00:00Z' deletionProtectionConfiguration: enableDeletionProtection: true deletionProtectionThreshold: '10' version: '3.0.0' identityLoggingStatus: DISABLED ``` # How Amazon Q Business connector crawls Microsoft OneDrive ACLs ACL crawling Connectors support crawling ACL and identity information where applicable based on the data source. If you index documents without ACLs, all documents are considered public. Indexing documents with ACLs ensures data security. Amazon Q Business supports crawling ACLs for document security by default. The Microsoft OneDrive connector for Amazon Q Business crawls files, including documents, spreadsheets, presentations, and notes, as the primary content type. It supports various file formats and integrates directly with Microsoft Office apps. **Roles/permissions**: The Microsoft OneDrive connector translates Microsoft OneDrive permissions into ACLs that are compatible with Amazon Q Business. The basic permissions include: + Read-only Access: users can view + Preview Access: users can view but cannot download + Edit: users can modify content **Permission Inheritance**: The Microsoft OneDrive connector is designed to detect and handle hierarchical content organization. In Microsoft OneDrive files and subfolders inherit permissions from parent folders by default. Permissions can be customized at sub-folder and file levels. In this case, the ACLs are a union of the parent ACLs and child ACLs. **Identity Crawling**: Domain-wide access is supported using service account authentication. Google Drive supports nested groups, meaning that one group can be a member of another. The connector handles complex group structures by flattening group memberships and ensuring that permissions are applied correctly across all levels. **Failure handling**: The connector implements a fail-close approach, meaning that if there are permission-related issues or API failures, the document is skipped from ingestion rather than being made publicly accessible. # IAM role If you use the AWS CLI or an AWS SDK, you must create an AWS Identity and Access Management (IAM) policy before you create an Amazon Q resource. When you call the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) operation, you provide the Amazon Resource Name (ARN) role with the policy attached. If you use the AWS Management Console, you can create a new IAM role in the Amazon Q console or use an existing IAM role. To learn more about IAM roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *AWS Identity and Access Management User Guide*. To connect your data source connector to Amazon Q, you must give Amazon Q an IAM role that has the following permissions: + Permission to access the `BatchPutDocument` and `BatchDeleteDocument` operations to ingest documents. + Permission to access the [User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html) API operations to ingest user and group access control information from documents. + Permission to access your AWS Secrets Manager secret to authenticate your data source connector instance. ``` { "Version": "2012-10-17", , "Statement": [ { "Sid": "AllowsAmazonQToGetSecret", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:{{secret_id}}" ] }, { "Sid": "AllowsAmazonQToDecryptSecret", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:{{region}}:{{account_id}}:key/{{key_id}}" ], "Condition": { "StringLike": { "kms:ViaService": [ "secretsmanager.*.amazonaws.com" ] } } }, { "Sid": "AllowsAmazonQToIngestDocuments", "Effect": "Allow", "Action": [ "qbusiness:BatchPutDocument", "qbusiness:BatchDeleteDocument" ], "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}" }, { "Sid": "AllowsAmazonQToCallPrincipalMappingAPIs", "Effect": "Allow", "Action": [ "qbusiness:PutGroup", "qbusiness:CreateUser", "qbusiness:DeleteGroup", "qbusiness:UpdateUser", "qbusiness:ListGroups" ], "Resource": [ "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}", "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}", "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*" ] } ] } ``` **To allow Amazon Q to assume a role, you must also use the following trust policy:** ``` { "Version": "2012-10-17", , "Statement": [ { "Sid": "AllowsAmazonQServicePrincipal", "Effect": "Allow", "Principal": { "Service": "qbusiness.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "{{source_account}}" }, "ArnEquals": { "aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" } } } ] } ``` For more information on Amazon Q data source connector IAM roles, see [IAM roles for Amazon Q data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds). # Connecting Microsoft OneDrive to Amazon Q Business (Original) Microsoft OneDrive Original **Note** **Original version notice:** This documentation covers the original version of the Microsoft OneDrive connector. For new implementations, we recommend using the new connector which offers improved performance. The original connector remains available for customers requiring specific features not yet supported in the new connector. ## Limitations When using the test data source connection feature, the Microsoft OneDrive connector has a potential issue when testing Identity Crawler. If it takes longer than five minutes, Amazon Q skips testing Identity Crawler, and moves on to the next test. Thus, it is possible for there to be a connection error with Identity Crawler even after finishing connection testing. The Microsoft OneDrive original connector has the following known limitations: + No support for syncing OneNote files + When Access Control Lists (ACLs) are enabled, the "Sync only new or modified content" option is not available due to Microsoft OneDrive API limitations. We recommend using "Full sync" or "New, modified, or deleted content sync" modes instead, or disable ACLs if you need to use this sync mode. # Overview The following table gives an overview of the Amazon Q Business Microsoft OneDrive original connector and its supported features. **** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/onedrive-original-overview.html) # Prerequisites Before you begin, make sure that you have completed the following prerequisites. **In your Azure Active Directory (AD) application, make sure you have:** + Created an Azure Active Directory (AD) application. + Used the AD application ID to register a secret key for the application on the AD site. The secret key must contain the client ID and a client secret. + Copied the AD domain of the organization. + Added the following Application API permissions to your AD application on the Microsoft Graph option: + Read files in all site collections (`Files.Read.All`) + Read all users' full profiles (`User.Read.All`) + Read all groups (`Group.Read.All`) **Note** Choose the Application permissions type instead of Delegated permissions while adding the API permissions. **In your AWS account, make sure you have:** + Created a Amazon Q Business application. + Created a [Amazon Q Business retriever and added an index](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/select-retriever.html). + Created an [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds) for your data source and, if using the Amazon Q API, noted the ARN of the IAM role. + Stored your Microsoft OneDrive authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret. **Note** If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console. For a list of things to consider while configuring your data source, see [ Data source connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html). # Using the console The following procedure outlines how to connect Amazon Q Business to Microsoft OneDrive using the original connector with the AWS Management Console. **Connecting Amazon Q to Microsoft OneDrive original connector** 1. Sign in to the AWS Management Console and open the Amazon Q Business console. 1. From the left navigation menu, choose **Data sources**. 1. From the **Data sources** page, choose **Add data source**. 1. Then, on the **Add data sources** page, from **Data sources**, add the **Microsoft OneDrive** data source to your Amazon Q application. 1. Then, on the **Microsoft OneDrive** data source page, enter the following information: 1. In **Source**, enter the following information: + **OneDrive Tenant ID** Enter your OneDrive Tenant ID without the protocol. You can find your OneDrive Tenant ID under Directory ID in the Microsoft Entra ID (formerly Azure AD) admin center. 1. **Authorization** – Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. If supported for your connector, you can manage ACLs by selecting ** Enable ACLs ** to enable ACLs or **Disable ACLs** to disable them. To manage ACLs, you need specific IAM permissions. See [Grant permission to create data sources with ACLs disabled](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/setting-up.html#DisableAclOnDataSource) for more details. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details. 1. In **Authentication** – Choose between **New** and **Existing**. 1. If you choose **Existing**, select an existing secret for **Select secret**. If you choose **New**, enter the following information in the **New AWS Secrets Manager secret** section: 1. **Secret name** – A name for your secret. 1. For **Client ID** and **Client secret** – Enter the authentication credential values from your OneDrive account and then choose **Save authentication**. 1. **Configure VPC and security group – *optional*** – Choose whether you want to use a VPC. If you do, enter the following information: 1. **Subnets** – Select up to 6 repository subnets that define the subnets and IP ranges the repository instance uses in the selected VPC. 1. **VPC security groups** – Choose up to 10 security groups that allow access to your data source. Ensure that the security group allows incoming traffic from Amazon EC2 instances and devices outside your VPC. For databases, security group instances are required. For more information, see [VPC](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-vpc). 1. **IAM role** – Choose an existing IAM role or create an IAM role to access your repository credentials and index content. **Note** Creating a new service IAM role is recommended. For more information, see [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/onedrive-connector.html#onedrive-iam). 1. In **Sync scope**, for **Select OneDrive users**, choose between the following options: + **Add a username file** – Choose to add a usernames file saved in an Amazon S3 bucket. Provide the path to the file by choosing **Browse**. **Note** If you choose this option, the IAM role for the data source must have read permissions for the Amazon S3 bucket where the file is stored. + **Add usernames here** – You can add a maximum of 10 users using this option. To add more than 10 users, please create a file containing the usernames and choose **Add a user name file**. 1. For **Additional configuration – *optional***: + For **Filter Patterns** – Add filter patterns to include or exclude certain files. You can add up to 100 patterns. 1. **Multi-media content configuration – optional** – To enable content extraction from embedded images and visuals in documents, choose **Visual content in documents**. 1. **Advanced settings** **Document deletion safeguard** - *optional*–To safeguard your documents from deletion during a sync job, select **On** and enter an integer between 0 - 100. If the percentage of documents to be deleted in your sync job exceeds the percentage you selected, the delete phase will be skipped and no documents from this data source will be deleted from your index. For more information, see [Document deletion safeguard](connector-concepts.md#document-deletion-safeguard). 1. For **Maximum file size** – Specify the file size limit in MBs that Amazon Q will crawl. Amazon Q will crawl only the files within the size limit you define. The default file size is 50MB. The maximum file size should be greater than 0MB and less than or equal to 50MB. 1. For **Sync mode**, choose how you want to update your index when your data source content changes. When you sync your data source with Amazon Q for the first time, all content is synced by default. + **Full sync** – Sync all content regardless of the previous sync status. + **New, modified, or deleted content sync** – Only sync new, modified, and deleted content. 1. In **Sync run schedule**, for **Frequency** – Choose how often Amazon Q will sync with your data source. For more details, see [Sync run schedule](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-run). To learn how to start a data sync job, see [Starting data source connector sync jobs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/supported-datasource-actions.html#start-datasource-sync-jobs). 1. **Tags - *optional*** – Add tags to search and filter your resources or track your AWS costs. See [Tags](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tagging.html) for more details. 1. **Field mappings** – A list of data source document attributes to map to your index fields. **Note** Add or update the fields from the **Data source details** page after you finish adding your data source. You can choose from two types of fields: 1. **Default** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can't edit these. 1. **Custom** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can edit these. You can also create and add new custom fields. **Note** Support for adding custom fields varies by connector. You won't see the **Add field** option if your connector doesn't support adding custom fields. For more information, see [Field mappings](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-field-mappings). 1. In **Data source details**, choose **Sync now** to allow Amazon Q to begin syncing (crawling and ingesting) data from your data source. When the sync job finishes, your data source is ready to use. **Note** View CloudWatch logs for your data source sync job by selecting **View CloudWatch logs**. If you encounter a `Resource not found exception` error, wait and try again as logs may not be available immediately. You can also view a detailed document-level report by selecting **View Report**. This report shows the status of each document during the crawl, sync, and index stages, including any errors. If the report is empty for an in-progress job, check back later as data is emitted to the report as events occur during the sync process. For more information, see [Troubleshooting data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/troubleshooting-data-sources.html#troubleshooting-data-sources-not-indexed). # Connecting Amazon Q Business to Microsoft OneDrive using APIs Using the API You use the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) action to connect a data source to your Amazon Q application. You can also use the [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) action to modify an existing data source configuration. Then, you use the `configuration` parameter to provide a JSON blob that conforms the AWS-defined JSON schema. For an example of the API request, see [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) and [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) in the Amazon Q API Reference. ## Microsoft OneDrive JSON schema The following is the Microsoft OneDrive JSON schema: ``` { "$schema": "http://json-schema.org/draft-04/schema#", "type": "object", "properties": { "connectionConfiguration": { "type": "object", "properties": { "repositoryEndpointMetadata": { "type": "object", "properties": { "tenantId": { "type": "string", "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "minLength": 36, "maxLength": 36 } }, "required": ["tenantId"] } } }, "repositoryConfigurations": { "type": "object", "properties": { "email": { "type": "object", "properties": { "fieldMappings": { "type": "array", "items": [ { "type": "object", "properties": { "indexFieldName": { "type": "string" }, "indexFieldType": { "type": "string", "enum": ["STRING", "STRING_LIST", "DATE"] }, "dataSourceFieldName": { "type": "string" }, "dateFieldFormat": { "type": "string", "pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'" } }, "required": [ "indexFieldName", "indexFieldType", "dataSourceFieldName" ] } ] } }, "required": [ "fieldMappings" ] }, "attachment": { "type": "object", "properties": { "fieldMappings": { "type": "array", "items": [ { "type": "object", "properties": { "indexFieldName": { "type": "string" }, "indexFieldType": { "type": "string", "enum": ["STRING", "DATE","LONG"] }, "dataSourceFieldName": { "type": "string" }, "dateFieldFormat": { "type": "string", "pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'" } }, "required": [ "indexFieldName", "indexFieldType", "dataSourceFieldName" ] } ] } }, "required": [ "fieldMappings" ] }, "calendar": { "type": "object", "properties": { "fieldMappings": { "type": "array", "items": [ { "type": "object", "properties": { "indexFieldName": { "type": "string" }, "indexFieldType": { "type": "string", "enum": ["STRING", "STRING_LIST", "DATE"] }, "dataSourceFieldName": { "type": "string" }, "dateFieldFormat": { "type": "string", "pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'" } }, "required": [ "indexFieldName", "indexFieldType", "dataSourceFieldName" ] } ] } }, "required": [ "fieldMappings" ] }, "contacts": { "type": "object", "properties": { "fieldMappings": { "type": "array", "items": [ { "type": "object", "properties": { "indexFieldName": { "type": "string" }, "indexFieldType": { "type": "string", "enum": ["STRING", "STRING_LIST", "DATE"] }, "dataSourceFieldName": { "type": "string" }, "dateFieldFormat": { "type": "string", "pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'" } }, "required": [ "indexFieldName", "indexFieldType", "dataSourceFieldName" ] } ] } }, "required": [ "fieldMappings" ] }, "notes": { "type": "object", "properties": { "fieldMappings": { "type": "array", "items": [ { "type": "object", "properties": { "indexFieldName": { "type": "string" }, "indexFieldType": { "type": "string", "enum": ["STRING", "DATE"] }, "dataSourceFieldName": { "type": "string" }, "dateFieldFormat": { "type": "string", "pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'" } }, "required": [ "indexFieldName", "indexFieldType", "dataSourceFieldName" ] } ] } }, "required": [ "fieldMappings" ] } }, "required": ["email" ] }, "additionalProperties": { "type": "object", "properties": { "inclusionPatterns": { "type": "array", "items": { "type": "string" } }, "exclusionPatterns": { "type": "array", "items": { "type": "string" } }, "inclusionUsersList": { "type": "array", "items": { "type": "string", "format": "email" } }, "exclusionUsersList": { "type": "array", "items": { "type": "string", "format": "email" } }, "s3bucketName": { "type": "string" }, "inclusionUsersFileName": { "type": "string" }, "exclusionUsersFileName": { "type": "string" }, "inclusionDomainUsers": { "type": "array", "items": { "type": "string" } }, "exclusionDomainUsers": { "type": "array", "items": { "type": "string" } }, "crawlCalendar": { "type": "boolean" }, "crawlNotes": { "type": "boolean" }, "crawlContacts": { "type": "boolean" }, "crawlFolderAcl": { "type": "boolean" }, "startCalendarDateTime": { "anyOf": [ { "type": "string", "pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$" }, { "type": "string", "pattern": "" } ] }, "endCalendarDateTime": { "anyOf": [ { "type": "string", "pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$" }, { "type": "string", "pattern": "" } ] }, "subject": { "type": "array", "items": { "type": "string" } }, "emailFrom": { "type": "array", "items": { "type": "string", "format": "email" } }, "emailTo": { "type": "array", "items": { "type": "string", "format": "email" } }, "maxFileSizeInMegaBytes": { "type": "string" } }, "required": [] }, "syncMode": { "type": "string", "enum": [ "FORCED_FULL_CRAWL", "FULL_CRAWL", "CHANGE_LOG" ] }, "type" : { "type" : "string", "pattern": "ONEDRIVE" }, "secretArn": { "type": "string" } }, "version": { "type": "string", "anyOf": [ { "pattern": "1.0.0" } ] }, "required": [ "connectionConfiguration", "repositoryConfigurations", "syncMode", "additionalProperties", "secretArn", "type" ] } ``` The following table provides information about important JSON keys to configure. | Configuration | Description | | --- | --- | | connectionConfiguration | Configuration information for the endpoint for the data source. | | repositoryEndpointMetadata | The endpoint information for the data source. This includes the tenant ID in the form of the OneDrive site URL. | | repositoryConfigurations | Configuration information for the content of the data source. For example, configuring specific types of content and field mappings. Specify the type of data source and the secret ARN. | | secretARN | The Amazon Resource Name (ARN) of an AWS Secrets Manager secret that contains the key-value pairs required to connect to your OneDrive . The secret must contain a JSON structure with the following keys: 
{
    "clientID": "OAuth Client ID",
    "password": "client secret"
}
| | additionalProperties | Additional configuration options for your content in your data source. | | isCrawlAcl | Specify true to crawl access control information from documents. Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details. | | fieldForUserId | Specify field to use for UserId for ACL crawling. | | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/onedrive-v1-api.html) | A collection of strings that specifies which entities to filter. | | isUserNameOnS3 | true to provide a list of user names in a file stored in an Amazon S3. | | type | The type of data source. Specify ONEDRIVE as your data source type. | | enableIdentityCrawler | true to activate identity crawler. Identity crawler is activated by default. Crawling identity information on users and groups with access to specific documents is useful for user context filtering. Search results are filtered based on the user or their group access to documents. Amazon Q Business crawls identity information from your data source by default to ensure responses are generated only from documents end users have access to. For more information, see [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler). | | maxFileSizeInMegaBytes | Specify the maximum single file size limit in MBs that Amazon Q will crawl. Amazon Q will crawl only the files within the size limit you define. The default file size is 50MB. The maximum file size should be greater than 0MB and less than or equal to 50MB. | | syncMode | Specify whether Amazon Q should update your index by syncing all documents or only new, modified, and deleted documents. You can choose between the following options: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/onedrive-v1-api.html) | | version | The version of this template that's currently supported (1.0.0). | # How Amazon Q Business connector crawls Microsoft OneDrive ACLs ACL crawling Connectors support crawling ACL and identity information where applicable based on the data source. If you index documents without ACLs, all documents are considered public. Indexing documents with ACLs ensures data security. Amazon Q Business supports crawling ACLs for document security by default. The Microsoft OneDrive connector for Amazon Q Business crawls files, including documents, spreadsheets, presentations, and notes, as the primary content type. It supports various file formats and integrates directly with Microsoft Office apps. **Roles/permissions**: The Microsoft OneDrive connector translates Microsoft OneDrive permissions into ACLs that are compatible with Amazon Q Business. The basic permissions include: + Read-only Access: users can view + Preview Access: users can view but cannot download + Edit: users can modify content **Permission Inheritance**: The Microsoft OneDrive connector is designed to detect and handle hierarchical content organization. In Microsoft OneDrive files and subfolders inherit permissions from parent folders by default. Permissions can be customized at sub-folder and file levels. In this case, the ACLs are a union of the parent ACLs and child ACLs. **Identity Crawling**: Individual user and group synchronization is supported, including federated groups. Users and groups are synced using email IDs (each group in Active Directory will have email assigned to it). **Change Management**: ACL changes are supported in Change Log Mode, ensuring that items added, updated, or deleted since the last crawl are indexed. Any changes to access or permissions of groups or users for any entity will be captured. **Failure handling**: The connector implements a fail-close approach, meaning that if there are permission-related issues or API failures, the document is skipped from ingestion rather than being made publicly accessible. # Microsoft OneDrive data source connector field mappings Field mappings To improve retrieved results and customize the end user chat experience, Amazon Q Business enables you to map document attributes from your data sources to fields in your Amazon Q index. Amazon Q offers two kinds of attributes to map to index fields: + **Reserved fields** – Mapped to reserved fields in the Amazon Q index that filter chat responses for your end users. + **Custom fields** – Mapped to custom fields in the Amazon Q index. You can create custom fields when you create your application or data source. You can use custom fields to provide additional information to help your end users. For more information, see [Mapping data source fields](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/field-mappings.html). The following table lists the Microsoft OneDrive data source connector entities and their associated attributes that you can map to Amazon Q index fields. **** | Entity | Attributes | Field type | | --- | --- | --- | | File | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/onedrive-legacy-field-mappings.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/onedrive-legacy-field-mappings.html) | # IAM role If you use the AWS CLI or an AWS SDK, you must create an AWS Identity and Access Management (IAM) policy before you create an Amazon Q resource. When you call the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) operation, you provide the Amazon Resource Name (ARN) role with the policy attached. If you use the AWS Management Console, you can create a new IAM role in the Amazon Q console or use an existing IAM role. To learn more about IAM roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *AWS Identity and Access Management User Guide*. To connect your data source connector to Amazon Q, you must give Amazon Q an IAM role that has the following permissions: + Permission to access the `BatchPutDocument` and `BatchDeleteDocument` operations to ingest documents. + Permission to access the [User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html) API operations to ingest user and group access control information from documents. + Permission to access your AWS Secrets Manager secret to authenticate your data source connector instance. + **(Optional)** If you're using Amazon VPC, permission to access your Amazon VPC. ``` { "Version": "2012-10-17", , "Statement": [ { "Sid": "AllowsAmazonQToGetSecret", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]" ] }, { "Sid": "AllowsAmazonQToDecryptSecret", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]" ], "Condition": { "StringLike": { "kms:ViaService": [ "secretsmanager.*.amazonaws.com" ] } } }, { "Sid": "AllowsAmazonQToIngestDocuments", "Effect": "Allow", "Action": [ "qbusiness:BatchPutDocument", "qbusiness:BatchDeleteDocument" ], "Resource": [ "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}", "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}" ] }, { "Sid": "AllowsAmazonQToIngestPrincipalMapping", "Effect": "Allow", "Action": [ "qbusiness:PutGroup", "qbusiness:CreateUser", "qbusiness:DeleteGroup", "qbusiness:UpdateUser", "qbusiness:ListGroups" ], "Resource": [ "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}", "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}", "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*" ] }, { "Sid": "AllowsAmazonQToCreateAndDeleteNI", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface" ], "Resource": [ "arn:aws:ec2:{{region}}:{{account_id}}:subnet/[[subnet_ids]]", "arn:aws:ec2:{{region}}:{{account_id}}:security-group/[[security_group]]" ] }, { "Sid": "AllowsAmazonQToCreateAndDeleteNIForSpecificTag", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface" ], "Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*", "Condition": { "StringLike": { "aws:RequestTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "AMAZON_Q" ] } } }, { "Sid": "AllowsAmazonQToCreateTags", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateNetworkInterface" } } }, { "Sid": "AllowsAmazonQToCreateNetworkInterfacePermission", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterfacePermission" ], "Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*", "Condition": { "StringLike": { "aws:ResourceTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*" } } }, { "Sid": "AllowsAmazonQToDescribeResourcesForVPC", "Effect": "Allow", "Action": [ "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeVpcs", "ec2:DescribeRegions", "ec2:DescribeNetworkInterfacePermissions", "ec2:DescribeSubnets" ], "Resource": "*" } ] } ``` **To allow Amazon Q to assume a role, you must also use the following trust policy:** ``` { "Version": "2012-10-17", , "Statement": [ { "Sid": "AllowsAmazonQServicePrincipal", "Effect": "Allow", "Principal": { "Service": "qbusiness.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "{{source_account}}" }, "ArnEquals": { "aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" } } } ] } ``` For more information on Amazon Q data source connector IAM roles, see [IAM roles for Amazon Q data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds). # Error codes The following table provides information about error codes you may see for the Microsoft OneDrive original connector and suggested resolutions. | Error code | Error message | Suggested resolution | | --- | --- | --- | | OND-5000 | Exception occurred while sending request to OneDrive api for testing connection, please try again later. | Try again. | | OND-5001 | Provided client ID key is not Valid. | Provide a valid client ID. | | OND-5002 | Provided client secret key is not valid. | Provide valid client secret. | | OND-5003 | Provided tenant ID key is not valid. | Provide a valid tenant ID. | | OND-5102 | Client ID cannot be null/empty. | Provide a valid client ID. | | OND-5103 | Tenant ID cannot be null/empty. | Provide a valid tenant Id. | | OND-5104 | Client Secret cannot be null/empty. | Provide a valid client Secret. | | OND-5105 | Invalid client ID pattern. | Provide a valid client ID. | | OND-5106 | Client Secret Over maximum length. | Length of client secret ID should be at least 256. Provide a valid client secret. | | OND-5107 | User Name Filter/ User Name Path should not be null or empty value. | Provide User Name Filter or User Name Path. | | OND-5108 | User Name Filter can only support up to 10 users. | Provide up to 10 users in User Name Filter or provide file of list of users in User Name Path. | | OND-5109 | Users mentioned in the list do not belong to the same domain. | Provide valid list of users which belong to same domain. | | OND-5110 | Users mentioned in the list are not valid. | Provide valid users. | | OND-5200 | Exception occurred while fetching files in full crawl. | Check logs for more details. | | OND-5203 | Exception occurred while fetching drive files. | Provide correct credentials. | | OND-5204 | Exception occurred while fetching OneNote files. | Check logs for more details. | | OND-5300 | Exception occurred while fetching files in change log. | Check logs for more details. | | OND-5400 | Exception occurred while building group details. | Check logs for more details. | | OND-5401 | Exception occurred while fetching list of groups. | Check logs for more details. | | OND-5500 | Exception occurred while getting file content response. | Check logs for more details. | | OND-5501 | Only String, String List, Date and Long formats are supported for field mappings. | Please provide valid formats in field mappings. | | OND-5502 | Exception occurred while fetching OneNote files. | Check logs for more details. |