# Connecting Microsoft OneDrive to Amazon Q Business (New)
**Note**
**Enhanced Version:** With the new connector, you can refresh your index significantly faster than before, control the sync scope using a date filter, automatically discover and index content for all users within your Microsoft tenant, and enable Q&A capabilities for audio and video files stored in OneDrive.
## Limitations
The Microsoft OneDrive new connector has the following known limitations:
+ No support for syncing OneNote files
+ Custom field mappings are not supported
+ VPC configuration is not supported
+ Document enrichment is not supported
+ OneDrive API throttling limits are determined by your organization's Microsoft 365 license count and are applied at the application level within a tenant (see [this Microsoft documentation](https://learn.microsoft.com/en-us/sharepoint/dev/general-development/how-to-avoid-getting-throttled-or-blocked-in-sharepoint-online#application-throttling)). These limits affect how many documents can be synced in a day, with further restrictions when Access Control Lists (ACLs) are involved. For example, in organizations with fewer than 1000 licenses, the connector can sync up to 1.2 million documents per day without ACLs. However, when syncing with ACLs, this limit is reduced to approximately 200,000 documents per day since ACLs require 5 additional resource units. If the sync job exceeds these limits, the OneDrive connector automatically pauses and resumes the following day to sync the remaining documents.
# Overview
The following table gives an overview of the Amazon Q Business Microsoft OneDrive new connector and its supported features.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/onedrive-new-overview.html)
# Prerequisites
Before you begin, make sure that you have completed the following prerequisites.
**In your Azure Active Directory (AD) application, make sure you have:**
+ Created an Azure Active Directory (AD) application.
+ Used the AD application ID to register a secret key for the application on the AD site. The secret key must contain the client ID and client secret.
+ Copied the AD domain of the organization.
+ Added the following Application API permissions to your AD application on the Microsoft Graph option:
+ Read files in all site collections (`Files.Read.All`)
+ Read all users' full profiles (`User.Read.All`)
+ Read all groups (`Group.Read.All`)
**Note**
Choose the Application permissions type instead of Delegated permissions while adding the API permissions.
**In your AWS account, make sure you have:**
+ Created a Amazon Q Business application.
+ Created a [Amazon Q Business retriever and added an index](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/select-retriever.html).
+ Created an [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds) for your data source and, if using the Amazon Q API, noted the ARN of the IAM role.
+ Stored your Microsoft OneDrive authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret.
**Note**
If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console.
For a list of things to consider while configuring your data source, see [ Data source connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Using the console
The following procedure outlines how to connect Amazon Q Business to Microsoft OneDrive using the new connector with the AWS Management Console.
**Connecting Amazon Q to Microsoft OneDrive new connector**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. From the left navigation menu, choose **Data sources**.
1. From the **Data sources** page, choose **Add data source**.
1. Then, on the **Add data sources** page, from **Data sources**, add the **Microsoft OneDrive** data source to your Amazon Q application.
1. Then, on the **Microsoft OneDrive** data source page, enter the following information:
1. In **Source**, enter the following information:
+ **OneDrive Tenant ID** Enter your OneDrive Tenant ID without the protocol. You can find your OneDrive Tenant ID under Directory ID in the Microsoft Entra ID (formerly Azure AD) admin center.
1. **Authorization** – Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. If supported for your connector, you can manage ACLs by selecting ** Enable ACLs ** to enable ACLs or **Disable ACLs** to disable them. To manage ACLs, you need specific IAM permissions. See [Grant permission to create data sources with ACLs disabled](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/setting-up.html#DisableAclOnDataSource) for more details. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details.
1. In **Authentication** – Choose between **New** and **Existing**.
1. If you choose **Existing**, select an existing secret for **Select secret**.
If you choose **New**, enter the following information in the **New AWS Secrets Manager secret** section:
1. **Secret name** – A name for your secret.
1. For **Client ID** and **Client secret** – Enter the authentication credential values from your OneDrive account and then choose **Save authentication**.
1. **IAM role** – Choose an existing IAM role or create an IAM role to access your repository credentials and index content.
**Note**
IAM roles used for applications can't be used for data sources. If you are unsure if an existing role is used for an application, choose **Create a new role** to avoid errors.
1. In **Sync scope**, configure which OneDrive users and content to sync:
1. **Select OneDrive users** – Choose how to specify which users' content to sync:
+ **All users** – Select this option to sync content for all users in the organization. This allows comprehensive content discovery across all user accounts.
+ **Users from a user name file** – Choose this option to specify users via a file stored in an Amazon S3 bucket. Select the location of the user name file by choosing **Browse**.
**Note**
If you choose this option, the IAM role for the data source must have read permissions for the Amazon S3 bucket where the file is stored.
+ **Specific users** – Choose this option to manually specify individual users. You can add a maximum of 10 users using this option. To add more than 10 users, create a file containing the usernames and choose **Users from a user name file**.
1. **Maximum single file size** – Set the maximum file size for crawling. During this ingestion, there are file size limits depending on the file type. Video files have a limit of up to 10 GB/10,240 MB. Audio files have a 2 GB/2,048 MB limit. PDF/Word/Powerpoint documents have a 500 MB limit. Excel and other supported file formats have a 50 MB limit. There are also limits to the amount of text extracted from these documents. CSV and Excel have a extracted text limit of 10MB, all other document formats have a limit of 30MB of extracted text.
1. **Additional configuration - *optional*** – All content will be indexed by default. However, you can also limit the scope with these additional options:
1. **Date filter** – Add a date range to filter content based on the last modified date:
+ **Start date** – Filter content modified after this date (YYYY/MM/DD format)
+ **End date - optional** – Filter content modified before this date (YYYY/MM/DD format)
1. **Filter patterns** – Add file path patterns to include or exclude certain folders and files from OneDrive:
+ **Include patterns** – Specify file paths to include in the sync. Enter the path pattern and choose **Add**.
+ **Exclude patterns** – Specify file paths to exclude from the sync. Enter the path pattern and choose **Add**.
You can identify the path of a folder or file by following these instructions by (within OneDrive), navigating to the file or folder for which you want to apply a filte and clicking on the three-dot menu button next to the file/folder name and selecting "Details." In the following details panel, scroll down to the "Path" details and click on the "Copy" button next to the path. For shared folders and files, first click on “Open location” in the menu adjacent to the file or the folder name, and then follow the above directions.
1. **Multi-media content configuration – optional** – To enable content extraction from embedded images and visuals in documents, choose **Visual content in documents**. For more information, see [Extracting semantic meaning from embedded images and visuals](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/extracting-meaning-from-images.html).
To extract audio transcriptions and video content, enable **Audio Files**. To extract video content, enable **Video files**. For more information, see [Extracting semantic meaning from audio and video Content](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/Audio-video-extraction.html).
1. **Advanced settings**
**Document deletion safeguard** - *optional*–To safeguard your documents from deletion during a sync job, select **On** and enter an integer between 0 - 100. If the percentage of documents to be deleted in your sync job exceeds the percentage you selected, the delete phase will be skipped and no documents from this data source will be deleted from your index. For more information, see [Document deletion safeguard](connector-concepts.md#document-deletion-safeguard).
1. In **Sync run schedule**, for **Frequency** – Choose how often Amazon Q will sync with your data source. For more details, see [Sync run schedule](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-run). To learn how to start a data sync job, see [Starting data source connector sync jobs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/supported-datasource-actions.html#start-datasource-sync-jobs).
1. **Tags - *optional*** – Add tags to search and filter your resources or track your AWS costs. See [Tags](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tagging.html) for more details.
1. In **Data source details**, choose **Sync now** to allow Amazon Q to begin syncing (crawling and ingesting) data from your data source. When the sync job finishes, your data source is ready to use.
**Note**
View CloudWatch logs for your data source sync job by selecting **View CloudWatch logs**. If you encounter a `Resource not found exception` error, wait and try again as logs may not be available immediately.
You can also view a detailed document-level report by selecting **View Report**. This report shows the status of each document during the crawl, sync, and index stages, including any errors. If the report is empty for an in-progress job, check back later as data is emitted to the report as events occur during the sync process.
For more information, see [Troubleshooting data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/troubleshooting-data-sources.html#troubleshooting-data-sources-not-indexed).
# Connecting Amazon Q Business to Microsoft OneDrive using APIs
You use the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) action to connect a data source to your Amazon Q application. You can also use the [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) action to modify an existing data source configuration.
Then, you use the `configuration` parameter to provide a JSON blob that conforms the AWS-defined JSON schema.
For an example of the API request, see [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) and [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) in the Amazon Q API Reference.
## Microsoft OneDrive JSON schema
The following is the Microsoft OneDrive JSON schema for OneDrive:
```
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"version": {
"type": "string",
"pattern": "2.0.0"
},
"type": {
"type": "string",
"enum": [
"ONEDRIVEV3"
]
},
"connectionConfiguration": {
"type": "object",
"properties": {
"secretArn": {
"type": "string",
"pattern": "^arn:[a-z0-9-\\.]{1,63}:[a-z0-9-\\.]{0,63}:[a-z0-9-\\.]{0,63}:[a-z0-9-\\.]{0,63}:[^/].{0,1023}$"
},
"tenantId": {
"type": "string",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"minLength": 36,
"maxLength": 36
},
"authType": {
"type": "string",
"enum": [
"ENTRA_APP_ID",
"OAUTH2"
]
}
},
"required": [
"secretArn",
"tenantId",
"authType"
]
},
"dataEntityConfiguration": {
"type": "object",
"properties": {
"crawlPersonalDrives": {
"type": "boolean"
}
}
},
"filterConfiguration": {
"type": "object",
"properties": {
"exclusionUserEmailAddresses": {
"type": "array",
"maxItems": 100,
"items": {
"type": "string",
"minLength": 1,
"maxLength": 1024
}
},
"inclusionUserEmailAddresses": {
"type": "array",
"maxItems": 100,
"items": {
"type": "string",
"minLength": 1,
"maxLength": 1024
}
},
"userFilterPath": {
"type": "string",
"pattern": "^s3:\\/\\/[a-z0-9][\\.\\-a-z0-9]{1,61}[a-z0-9]\\/.*$"
},
"exclusionDriveItems": {
"type": "array",
"maxItems": 100,
"items": {
"type": "string",
"minLength": 1,
"maxLength": 1024
}
},
"inclusionDriveItems": {
"type": "array",
"maxItems": 100,
"items": {
"type": "string",
"minLength": 1,
"maxLength": 1024
}
},
"absoluteDateBefore": {
"type": "string",
"pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+)?(?:Z|[+-]\\d{2}:\\d{2})$"
},
"absoluteDateAfter": {
"type": "string",
"pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+)?(?:Z|[+-]\\d{2}:\\d{2})$"
},
"maxFileSizeInMegaBytes": {
"type": "string",
"pattern": "^\\d+$"
}
}
},
"deletionProtectionConfiguration": {
"type": "object",
"properties": {
"enableDeletionProtection": {
"type": "boolean"
},
"deletionProtectionThreshold": {
"type": "string",
"pattern": "^(100|[1-9][0-9]?)$"
}
}
},
"crawlIdentities": {
"type": "boolean"
},
"accessControlConfiguration": {
"type": "object",
"properties": {
"crawlAcls": {
"type": "boolean"
}
}
}
},
"required": [
"connectionConfiguration",
"dataEntityConfiguration",
"type"
]
}
```
The following table provides information about important JSON keys to configure for OneDrive (New).
| Configuration | Description |
| --- | --- |
| accessControlConfiguration | Configuration for access control: crawlAcls: Boolean flag to enable/disable crawling of access control lists. Specify true to crawl access control information from documents. Amazon Q crawls ACL information by default to ensure responses are generated only from documents your end users have access to. |
| crawlIdentities | Boolean flag to enable/disable crawling of identity information. true to activate identity crawler. Identity crawler is activated by default. Crawling identity information on users and groups with access to specific documents is useful for user context filtering. Search results are filtered based on the user or their group access to documents. |
| deletionProtectionConfiguration | Configuration for deletion protection: enableDeletionProtection: Boolean flag to enable/disable deletion protection. deletionProtectionThreshold: Threshold percentage (1-100) for deletion protection. |
| filterConfiguration | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/onedrive-v2-api.html) |
| dataEntityConfiguration | Configuration for what content to crawl: crawlPersonalDrives: Boolean flag to enable/disable crawling of personal drives. |
| connectionConfiguration | Configuration information for connecting to OneDrive: secretArn: The Amazon Resource Name (ARN) of an AWS Secrets Manager secret that contains authentication credentials. The secret must contain a JSON structure with the following keys: \$1"clientID": "OAuth Client ID", "clientSecret": "client secret"\$1. tenantId: The tenant ID in UUID format. authType: Authentication type, either "ENTRA\$1APP\$1ID" or "OAUTH2". |
| type | The type of data source. Specify ONEDRIVEV3 as your data source type. |
| version | The version of this template. Currently supported version is "2.0.0". |
# Connecting Amazon Q Business to Microsoft OneDrive using AWS CloudFormation
You use the [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html) resource to connect a data source to your Amazon Q application.
Use the [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html#cfn-qbusiness-datasource-applicationid](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html#cfn-qbusiness-datasource-applicationid) property to provide a JSON or YAML schema with the necessary configuration details specific to your data source connector.
To learn more about AWS CloudFormation, see [What is AWS CloudFormation?](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) in the *CloudFormation User Guide*.
**Topics**
+ [Microsoft OneDrive JSON schema for using the configuration property with AWS CloudFormation](#onedrive-v2-cfn-json)
+ [Microsoft OneDrive YAML schema for using the configuration property with AWS CloudFormation](#onedrive-v2-cfn-yaml)
## Microsoft OneDrive JSON schema for using the configuration property with AWS CloudFormation
The following is the Microsoft OneDrive JSON schema and examples for the configuration property for AWS CloudFormation.
**Topics**
+ [Microsoft OneDrive JSON schema for using the configuration property with AWS CloudFormation](#onedrive-v2-cfn-json-schema)
+ [Microsoft OneDrive JSON schema example for using the configuration property with AWS CloudFormation](#onedrive-v2-cfn-json-example)
### Microsoft OneDrive JSON schema for using the configuration property with AWS CloudFormation
The following is the Microsoft OneDrive JSON schema for the configuration property for CloudFormation.
```
{
"type": "object",
"properties": {
"version": {
"type": "string"
},
"type": {
"type": "string",
"enum": ["ONEDRIVEV3"]
},
"connectionConfiguration": {
"type": "object",
"properties": {
"secretArn": {
"type": "string",
"minLength": 20,
"maxLength": 2048
},
"tenantId": {
"type": "string",
"minLength": 36,
"maxLength": 36
},
"authType": {
"type": "string",
"enum": ["OAUTH2"]
}
},
"required": ["secretArn", "tenantId", "authType"]
},
"dataEntityConfiguration": {
"type": "object",
"properties": {
"crawlPersonalDrives": {
"anyOf": [{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
}
}
},
"filterConfiguration": {
"type": "object",
"properties": {
"inclusionUserEmailAddresses": {
"type": "array",
"maxItems": 100,
"items": {
"type": "string",
"minLength": 1,
"maxLength": 1024
}
},
"userFilterPath": {
"type": "string",
"minLength": 1,
"maxLength": 1024
},
"exclusionDriveItems": {
"type": "array",
"maxItems": 100,
"items": {
"type": "string",
"minLength": 1,
"maxLength": 1024
}
},
"inclusionDriveItems": {
"type": "array",
"maxItems": 100,
"items": {
"type": "string",
"minLength": 1,
"maxLength": 1024
}
},
"absoluteDateBefore": {
"type": "string",
"description": "ISO 8601 date-time format (e.g., 2024-12-31T23:59:59Z)"
},
"absoluteDateAfter": {
"type": "string",
"description": "ISO 8601 date-time format (e.g., 2024-12-31T23:59:59Z)"
},
"maxFileSizeInMegaBytes": {
"type": "string"
}
}
},
"deletionProtectionConfiguration": {
"type": "object",
"properties": {
"enableDeletionProtection": {
"anyOf": [{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"deletionProtectionThreshold": {
"type": "string",
"description": "percentage value of range (0-100)"
}
}
},
"crawlIdentities": {
"anyOf": [{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"accessControlConfiguration": {
"type": "object",
"properties": {
"crawlAcl": {
"anyOf": [{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
}
}
},
"identityLoggingStatus": {
"type": "string",
"enum": ["ENABLED", "DISABLED"]
},
},
"required": ["connectionConfiguration", "dataEntityConfiguration", "type"]
}
```
### Microsoft OneDrive JSON schema example for using the configuration property with AWS CloudFormation
The following is the Microsoft OneDrive JSON example for the Configuration property for CloudFormation.
```
{
"type": "ONEDRIVEV3",
"crawlIdentities": false,
"connectionConfiguration": {
"secretArn": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-one-drive-secret",
"tenantId": "1234a12c-1234-1234-1abc-1234ab12a12a",
"authType": "OAUTH2"
},
"dataEntityConfiguration": {
"crawlPersonalDrives": true
},
"accessControlConfiguration": {
"crawlAcl": false
},
"filterConfiguration": {
"inclusionUserEmailAddresses": ["user123@amazon.com"],
"maxFileSizeInMegaBytes": "50",
"exclusionDriveItems": ["path/to/folder1","path/to/file1"],
"inclusionDriveItems": ["path/to/folder2","path/to/file2"],
"userFilterPath": "s3://bucket/prefix/object.txt",
"absoluteDateBefore": "2025-08-02T00:00:00Z",
"absoluteDateAfter": "2025-08-01T00:00:00Z"
},
"deletionProtectionConfiguration": {
"enableDeletionProtection": true,
"deletionProtectionThreshold": "10"
},
"version": "3.0.0",
"identityLoggingStatus": "DISABLED"
}
```
## Microsoft OneDrive YAML schema for using the configuration property with AWS CloudFormation
The following is the Microsoft OneDrive YAML schema and examples for the configuration property for AWS CloudFormation:
**Topics**
+ [Microsoft OneDrive YAML schema for using the configuration property with AWS CloudFormation](#onedrive-v2-cfn-yaml-schema)
+ [Microsoft OneDrive YAML schema example for using the configuration property with AWS CloudFormation](#onedrive-v2-cfn-yaml-example)
### Microsoft OneDrive YAML schema for using the configuration property with AWS CloudFormation
The following is the Microsoft OneDrive YAML schema for the configuration property for CloudFormation.
```
configuration:
type: object
properties:
version:
type: string
type:
type: string
enum:
- ONEDRIVEV3
connectionConfiguration:
type: object
properties:
secretArn:
type: string
minLength: 20
maxLength: 2048
tenantId:
type: string
minLength: 36
maxLength: 36
authType:
type: string
enum:
- OAUTH2
required:
- secretArn
- tenantId
- authType
dataEntityConfiguration:
type: object
properties:
crawlPersonalDrives:
anyOf:
- type: boolean
- type: string
enum:
- 'true'
- 'false'
filterConfiguration:
type: object
properties:
inclusionUserEmailAddresses:
type: array
maxItems: 100
items:
type: string
minLength: 1
maxLength: 1024
userFilterPath:
type: string
minLength: 1
maxLength: 1024
exclusionDriveItems:
type: array
maxItems: 100
items:
type: string
minLength: 1
maxLength: 1024
inclusionDriveItems:
type: array
maxItems: 100
items:
type: string
minLength: 1
maxLength: 1024
absoluteDateBefore:
type: string
description: 'ISO 8601 date-time format (e.g., 2024-12-31T23:59:59Z)'
absoluteDateAfter:
type: string
description: 'ISO 8601 date-time format (e.g., 2024-12-31T23:59:59Z)'
maxFileSizeInMegaBytes:
type: string
deletionProtectionConfiguration:
type: object
properties:
enableDeletionProtection:
anyOf:
- type: boolean
- type: string
enum:
- 'true'
- 'false'
deletionProtectionThreshold:
type: string
description: 'percentage value of range (0-100)'
crawlIdentities:
anyOf:
- type: boolean
- type: string
enum:
- 'true'
- 'false'
accessControlConfiguration:
type: object
properties:
crawlAcl:
anyOf:
- type: boolean
- type: string
enum:
- 'true'
- 'false'
identityLoggingStatus:
type: string
enum:
- ENABLED
- DISABLED
required:
- connectionConfiguration
- dataEntityConfiguration
- type
```
### Microsoft OneDrive YAML schema example for using the configuration property with AWS CloudFormation
The following is the Microsoft OneDrive YAML example for the Configuration property for CloudFormation:
```
configuration:
type: ONEDRIVEV3
crawlIdentities: false
connectionConfiguration:
secretArn: 'arn:aws:secretsmanager:us-west-2:123456789012:secret:my-one-drive-secret'
tenantId: '1234a12c-1234-1234-1abc-1234ab12a12a'
authType: OAUTH2
dataEntityConfiguration:
crawlPersonalDrives: true
accessControlConfiguration:
crawlAcl: false
filterConfiguration:
inclusionUserEmailAddresses:
- 'user123@amazon.com'
maxFileSizeInMegaBytes: '50'
exclusionDriveItems:
- 'path/to/folder1'
- 'path/to/file1'
inclusionDriveItems:
- 'path/to/folder2'
- 'path/to/file2'
userFilterPath: 's3://bucket/prefix/object.txt'
absoluteDateBefore: '2025-08-02T00:00:00Z'
absoluteDateAfter: '2025-08-01T00:00:00Z'
deletionProtectionConfiguration:
enableDeletionProtection: true
deletionProtectionThreshold: '10'
version: '3.0.0'
identityLoggingStatus: DISABLED
```
# How Amazon Q Business connector crawls Microsoft OneDrive ACLs
Connectors support crawling ACL and identity information where applicable based on the data source. If you index documents without ACLs, all documents are considered public. Indexing documents with ACLs ensures data security.
Amazon Q Business supports crawling ACLs for document security by default.
The Microsoft OneDrive connector for Amazon Q Business crawls files, including documents, spreadsheets, presentations, and notes, as the primary content type. It supports various file formats and integrates directly with Microsoft Office apps.
**Roles/permissions**: The Microsoft OneDrive connector translates Microsoft OneDrive permissions into ACLs that are compatible with Amazon Q Business. The basic permissions include:
+ Read-only Access: users can view
+ Preview Access: users can view but cannot download
+ Edit: users can modify content
**Permission Inheritance**: The Microsoft OneDrive connector is designed to detect and handle hierarchical content organization. In Microsoft OneDrive files and subfolders inherit permissions from parent folders by default. Permissions can be customized at sub-folder and file levels. In this case, the ACLs are a union of the parent ACLs and child ACLs.
**Identity Crawling**: Domain-wide access is supported using service account authentication. Google Drive supports nested groups, meaning that one group can be a member of another. The connector handles complex group structures by flattening group memberships and ensuring that permissions are applied correctly across all levels.
**Failure handling**: The connector implements a fail-close approach, meaning that if there are permission-related issues or API failures, the document is skipped from ingestion rather than being made publicly accessible.
# IAM role
If you use the AWS CLI or an AWS SDK, you must create an AWS Identity and Access Management (IAM) policy before you create an Amazon Q resource. When you call the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) operation, you provide the Amazon Resource Name (ARN) role with the policy attached.
If you use the AWS Management Console, you can create a new IAM role in the Amazon Q console or use an existing IAM role.
To learn more about IAM roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *AWS Identity and Access Management User Guide*.
To connect your data source connector to Amazon Q, you must give Amazon Q an IAM role that has the following permissions:
+ Permission to access the `BatchPutDocument` and `BatchDeleteDocument` operations to ingest documents.
+ Permission to access the [User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html) API operations to ingest user and group access control information from documents.
+ Permission to access your AWS Secrets Manager secret to authenticate your data source connector instance.
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQToGetSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:{{secret_id}}"
]
},
{
"Sid": "AllowsAmazonQToDecryptSecret",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/{{key_id}}"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Sid": "AllowsAmazonQToIngestDocuments",
"Effect": "Allow",
"Action": [
"qbusiness:BatchPutDocument",
"qbusiness:BatchDeleteDocument"
],
"Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}"
},
{
"Sid": "AllowsAmazonQToCallPrincipalMappingAPIs",
"Effect": "Allow",
"Action": [
"qbusiness:PutGroup",
"qbusiness:CreateUser",
"qbusiness:DeleteGroup",
"qbusiness:UpdateUser",
"qbusiness:ListGroups"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*"
]
}
]
}
```
**To allow Amazon Q to assume a role, you must also use the following trust policy:**
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "qbusiness.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account}}"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
}
}
}
]
}
```
For more information on Amazon Q data source connector IAM roles, see [IAM roles for Amazon Q data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds).