OneDrive Indexing API
Captain indexes OneDrive for Business through Microsoft’s Graph API. There is no per-user OAuth flow and no user passwords involved: your Microsoft 365 admin registers an app once, and Captain uses that app’s credentials to read a single file, a folder (recursively), or a user’s whole drive. You name the user on each request.
To index SharePoint sites instead, see the
SharePoint Indexing API guide.
The endpoints and permissions are separate by design: OneDrive access
requires the broader
Files.Read.All permission, so a tenant that only wants to expose one
SharePoint site never has to grant it.
What your IT admin provides
Three values, all from a one-time App Registration in Microsoft Entra ID:
Plus the email (user principal name) of the OneDrive user to index, e.g.
analyst@yourco.com.
One-time setup
Every step below is done by someone with admin rights in your Microsoft 365 tenant. It takes about 10 minutes and is done once. After that, indexing is a plain API call. If you already created an App Registration for SharePoint indexing, reuse it and just add the permission in Step 2.
Step 1: Create an App Registration and client secret
- Sign in at entra.microsoft.com (or the Azure portal) and go to Identity → Applications → App registrations.
- Click New registration. Name the app (for example
captain-indexing), leave every default as is, and click Register. - On the app’s Overview page, copy two values: the Application (client) ID and the Directory (tenant) ID.
- Go to Certificates & secrets and click New client secret. Pick an expiry and click Add.
- Copy the secret’s Value right away; it is shown only once. This is
the
client_secretyou’ll send to Captain. Keep it secret.
Step 2: Grant the Files.Read.All permission and admin consent
- On the app’s API permissions page, click Add a permission and choose Microsoft Graph.
- Choose Application permissions, not Delegated. Application permissions are what let Captain run headlessly, with no signed-in user.
- Add
Files.Read.All. OneDrive requires it; the site-scopedSites.Selectedpermission does not cover user OneDrives. - Click Grant admin consent for <your org> on the same page.
Indexing
All three endpoints take the same auth fields plus the user’s email, and differ only in scope.
A user’s whole OneDrive
A folder (recursively)
folder_id is the folder’s Graph driveItem ID. Subfolders are indexed too.
A single file
item_id is the file’s Graph driveItem ID.
Every response is { "job_id": "...", "status": "pending" }. Poll
GET /v2/collections/{name}/jobs/{job_id} for progress, then query the
collection with POST /v2/collections/{name}/query.
What gets indexed
- Documents (PDF, DOCX, XLSX, PPTX, CSV, TXT, images, etc.): OneDrive stores files in their native formats, so everything downloads and processes directly. No export step.
- Skipped: OneNote notebooks and any file the app can’t access (logged and skipped; the job continues).
Troubleshooting
Security notes
- Grants are read-only. Captain never writes to or deletes from OneDrive.
Files.Read.Allcovers files tenant-wide, so treat the app’s credentials accordingly. If you only need SharePoint content, use the SharePoint guide withSites.Selectedinstead and skip this permission entirely.- The client secret is a credential: treat it like a password. Revoke it any time under Certificates & secrets, or kill all access by deleting the App Registration.
- Captain uses the secret only to mint short-lived tokens per job; nothing durable is stored beyond the request.
- Every read appears in your Microsoft 365 audit logs, attributed to the app.