Microsoft 365 File Access — Setup Instructions

Prepared by OBB Holdings for Hundredfold's IT service.
Purpose: grant OBB's automation read/write access to the client documents stored in Hundredfold's Microsoft 365 (OneDrive / SharePoint), so our system can pull and update working files. One-time setup, ~15 minutes for an M365 administrator.

What we're asking for (plain version)

Our automation needs to read and write files in a specific place in your Microsoft 365. The standard, secure way to do that is to register an "app" in your Microsoft Entra ID (formerly Azure AD) and grant it scoped access to the Microsoft Graph API. You stay in full control: you choose exactly which location it can touch, you can revoke it anytime, and you hand us three values to connect.

This is separate from the email access we already use (sending as the support mailbox via device-code sign-in). If preferred, the file permissions below can be added to that same app registration instead of a new one — either works.

Step 0 — Decide where the client docs live

Recommended: a SharePoint document library (a shared team site). It's the cleanest home for shared client documents accessed by automation, and access can be locked to just that one site (see Sites.Selected below). Note the site URL.

Alternative: a specific user's OneDrive (e.g., a service/shared mailbox account). Works fine — just note that account's email. The setup steps are otherwise identical.

Step-by-step (Microsoft Entra admin center)

Register the app. Identity → Applications → App registrations → New registration. Name it e.g. "OBB ERC Automation". Supported account types: "Accounts in this organizational directory only" (single tenant). Click Register.
Copy two IDs. From the app's Overview page, record the Application (client) ID and the Directory (tenant) ID.
Create a client secret. Certificates & secrets → Client secrets → New client secret. Description "OBB automation", expiry 24 months. Copy the secret VALUE immediately — it is shown only once.
Add the Graph permission. API permissions → Add a permission → Microsoft Graph → Application permissions. Add one of:
- Sites.Selected — recommended. Least-privilege: the app can touch only the specific site(s) you explicitly grant (Step 5).
- Files.ReadWrite.All — simpler, but grants access to all OneDrive/SharePoint files in the tenant. Use only if your security posture allows.
Grant admin consent. On the API permissions page click "Grant admin consent for [your org]" (requires a Global Administrator). The permission should then show a green "Granted" check.
(Only if you chose Sites.Selected) Grant the app access to the one site. This is a single Graph call your admin runs once (Graph Explorer or PowerShell) granting the app write on the target site. OBB can supply the exact command — just tell us the site URL and we'll send it ready to paste.

Step 7 — Hand back to OBB (securely). Send these four items via a password-manager share or other secure channel (not plain email or chat):

Directory (tenant) ID
Application (client) ID
Client secret value
The location — SharePoint site URL, or the OneDrive account's email

Security notes

Sites.Selected is least-privilege — the app can only reach the one site you designate, nothing else in your tenant. We recommend it over the broader option.
You stay in control — revoke anytime by deleting the app registration or removing the site grant.
Secret handling — tell us the expiry date; we track it and will request rotation before it lapses. We store the secret encrypted and never expose it.

Questions during setup can come back through Ryan to OBB. Prepared 2026-05-28 by OBB Holdings.