Microsoft OneDrive
The Microsoft OneDrive connector gives AI agents the ability to browse, read, upload, move, copy, and share files in OneDrive — all through the Microsoft Graph API using OAuth 2.0. Your credentials are stored encrypted in MCPGate's vault and are never exposed to the AI client.
Required scopes#
MCPGate requests the following Microsoft Graph OAuth scopes when you connect a OneDrive account. All scopes are requested up front so you don't need to re-authorise when enabling additional tools.
| Scope | Purpose |
|---|---|
| Files.Read.All | Read files and folders including shared items |
| Files.ReadWrite.All | Upload, move, copy, and delete files |
| Sites.Read.All | Read SharePoint sites for file access |
Tool reference#
The OneDrive connector exposes 12 tools: 5 read, 6 write, and 1 delete. Use the MCP Apps page to enable or disable individual tools per app, and the Guardrails page to add fine-grained rules on top.
| Tool | Category | Description |
|---|---|---|
| onedrive_list_files | read | List files and folders in a OneDrive directory |
| onedrive_get_file | read | Get metadata for a specific file or folder by ID |
| onedrive_read_file | read | Read the content of a file from OneDrive |
| onedrive_search | read | Search for files and folders in OneDrive |
| onedrive_get_share_link | read | Get a sharing link for a file or folder |
| onedrive_upload_file | write | Upload a file to OneDrive |
| onedrive_create_folder | write | Create a new folder in OneDrive |
| onedrive_move_file | write | Move a file or folder to a different location in OneDrive |
| onedrive_copy_file | write | Copy a file or folder to a different location in OneDrive |
| onedrive_share_file | write | Share a file or folder with specific users or groups |
| onedrive_revoke_access | write | Revoke a sharing permission from a file or folder |
| onedrive_delete_file | delete | Delete a file or folder from OneDrive |
Delete is permanent
onedrive_delete_filemoves the item to the OneDrive Recycle Bin. Items in the Recycle Bin are auto-purged after 93 days by Microsoft, or can be emptied manually. Always deny this tool in apps that don't require deletion.Common guardrail recipes#
Read-only access#
Enable only the five read tools and deny all write and delete tools. This is ideal for agents that index documents, search for files, or generate reports without modifying any content in the user's OneDrive.
Contribute preset#
Enable read tools plus onedrive_upload_file, onedrive_create_folder, onedrive_move_file, and onedrive_copy_file. Deny onedrive_share_file, onedrive_revoke_access, and onedrive_delete_file. This lets the agent organise and add files without touching sharing permissions or deleting anything.
Restrict to a folder#
Apply the allow_values template to all write tools targeting the folder_path or destination_id field. Provide a specific folder path so the agent can only write within an approved directory.
Troubleshooting#
- 403 on shared files — Shared files owned by others require the
Files.Read.Allscope rather thanFiles.Read. Reconnect to trigger a fresh consent screen with the broader scope. - Large file uploads time out —
onedrive_upload_fileuses the simple upload API, which is suited for files up to 4 MB. For larger files, use the resumable upload API directly via the Microsoft Graph endpoint. - Move fails with item not found — Ensure the destination folder ID is correct. Moving across drives (e.g. personal to SharePoint) is not supported by the simple move endpoint.